April, 2022 | Article
5 Things Your Law Firm Can do Right Now to Improve Cybersecurity
Cybersecurity may not come to mind as the most important aspect of running your business but consider the following. It takes the lifetime of your business to build and maintain your firm’s reputation, but a single cybersecurity incident can ruin it.
There are many challenges facing law firms today when it comes to cybersecurity. In most cases, there simply isn’t an understanding of what cybersecurity is. In some law firms, there is no budget for cybersecurity. Many still believe that cybercriminals are not interested in attacking their law firm, but that couldn’t be further from the truth.
For the smaller firms that believe they are unimportant to cybercriminals, they may want to review ID Agent’s SMB Cybersecurity statistics. Some key findings include:
- 2 out of 5 SMBs were the target of a ransomware attack
- 34% of data breaches involved internal resources
- the average ransomware payment in 2021 was $500,000
Other areas of concern highlighted include:
- Business email compromise rose by 14% overall in 2020 and up to 80% in some sectors, with the most common type of BEC scam being invoice or payment fraud.
- More than 60% of employees use the same password across multiple work and home applications.
- Supply chain attacks have increased by 78%, what are your suppliers doing to protect YOUR firm from a cyberattack?
If that isn’t enough, the
Solicitors Regulation Authority (SRA), a UK-based regulatory agency of law firms, did a review in 2020 of 40 firms about their experiences with cybercrime. They found that 75% of law firms they reviewed had been the target of a cyber attack. They also found that half of the firms allowed unrestricted use of external data storage media and that 25% of firms are not encrypting their laptops.
If all the above seems daunting, take heart. There are 5 things your firm can do right now to improve your cybersecurity posture without breaking your bank account.
1. Use a Password Manager
The number one weakness that contributes to security breaches is weak passwords. Weak passwords are often guessed by cybercriminals or in some cases brute-forced using software to gain access to systems. The problem of duplicate passwords, where a user uses the same password for multiple devices and applications is also an issue. Once that reused password has been discovered, cybercriminals will try it over and over again to get into multiple systems.
A password manager works by allowing users to compile a list of passwords in a secure and encrypted database. One of the reasons users create weak passwords and reuse them is because they can’t keep memorizing all the different passwords they need to know for multiple systems.
Some password managers also have a feature that will create strong passwords for you and store them. By ensuring every member of your firm is using a password manager, you protect your firm’s data and network by allowing every user to have unique passwords.
2. Implement Multifactor Authentication (MFA)
The easiest way to explain multifactor authentication is by the phrase “something you know, something you have, and something you are.” The something you know is your unique password, the something you have could be a key fob, your mobile phone, or some other device that only you have and can generate a one-time code to grant you access. This code will only be available to you for a limited amount of time. The something you are is literally you! It can be a fingerprint, facial recognition, or some other biometric form of identifying who you are.
The major benefits of implementing multifactor authentication are:
- Reduce password only risks: even if someone steals your password, they still need the 2nd Factor
- Early warning system: you’ll be notified if someone is trying to use your account
- It significantly increases your security by reducing the risk of unauthorized access
- Provide better controls over who can access your data
According to Microsoft, users who implement MFA on their accounts end up blocking 99.9% of attacks.
3. Mandate Cyber Awareness Training for All Firm Employees & Contractors
Cyber awareness training is a must in today’s connected workforce. It is just as important as new hire training, and the ongoing skills training that your staff may engage with regularly. Everybody who uses a computer at your firm, be they the receptionist or senior partner, needs to take cyber awareness training.
The goal of cyber awareness training is to ensure that staff
- Know what behaviors are expected of them and why allowing them to make educated decisions
- Help employees adopt a positive attitude towards cyber security, so they can be part of the solution
- Are aware of the cyber risks that are out there and are also aware of the available safeguards within the company
The end goal is to turn your employees into a source of cyber strength rather than a cyber weakness.
4. Have Endpoint security in place
Endpoints are how your users access your company network and your company data. Some examples of endpoints include desktops, laptops, smartphones, tablets, servers, workstations, and even Internet-of-things (IoT) devices. In many small organizations, a lot of sensitive data is stored directly on the endpoints.
That is why it is important to secure the endpoints, as they are frequently compromised by viruses, worms, malware, and ransomware. In addition, working from home due to the pandemic has contributed to an increase in employees accessing corporate resources from personal devices. Those resources also need endpoint protection to protect your firm’s network.
There are numerous ways to protect your endpoints. Leveraging them all helps minimize the risk that a single endpoint becomes an open door to your firm. They include:
- Installing endpoint protection software like anti-virus or anti-ransomware software on all endpoints
- Continuously patch and update all endpoints to reduce vulnerabilities
- Use a defense-in-depth strategy on the endpoint by turning on firewalls and any built-in protection systems (such as Windows Firewall, Windows Defender, etc.)
- Ensure you apply endpoint protection consistently across your network. If one device is overlooked, all your other efforts have gone to waste
- Consider following a Zero Trust approach
What is a zero trust approach? Zero Trust is a security framework requiring all users, whether in or outside the organization's network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. Zero Trust assumes that there is no traditional network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location.
5. Know your data and back up that data regularly
Before you can back-up any critical data, you need to know what data you have and where that data is stored. Some best practices should also be followed to better secure your data, such as the method of least privilege access: only grant access to information people need, a method of restricting/disabling/removing access to your data if an employee changes roles or leaves the organization, along with building good data management practices such as naming and cataloging conventions.
When it comes to backing up your data, one of the best methods to consider is the 3-2-1 Methodology. This involves ensuring you have at least 3 copies of your data, using 2 different storage methods with 1 copy stored offsite and offline. You should also encrypt your backups: otherwise, you’re saving the bad guys a lot of time. Remember, local backups are great for convenience to quickly restore from, however, they are also targeted when ransomware strikes. You should also test your back-ups periodically to make sure that you can restore your data from them.
Cybersecurity is critical to the health of any law firm. By following the five steps highlighted above, you will not only help protect your data, but it can help save you money and your reputation. The good news is that it isn’t too difficult or expensive to implement these steps.
For more information on implementing these 5 items in YOUR law firm, or to talk about any IT or cyber security related issues, please feel free to contact us any time, we look forward to the conversation! Remember, you don’t have to go on the cyber security journey on your own, QuickProtect is here to help when you need us!
As much as we are cybersecurity experts, we are also educators! Members of the QuickProtect team work with you and your team to stop security breaches and put preventative measures in place to protect against future breaches. We’ll also help you and your team learn to spot potential online dangers.