Three Key Ways Law Firms Should Strengthen Cybersecurity
Storing confidential client information and sensitive documents electronically is a must for law firms. That makes them prime targets for hacking, which can lead to business development issues or even ethical violations, writes The Cybersecurity Law Report.
Here are three key ways law firms should improve their cybersecurity, from Sensei Enterprises VP and co-founder John Simek.
1) Be prepared for ransomware attacks. Ransomware attacks are "probably the most prevalent threat that we're seeing now," says Simek. Over the course of one month last year in NoVa alone, four law firms were hit with ransomware attacks.
How to prepare? Ensure that the firm's "backups are engineered properly to recover from a ransomware infection." That way, the firm can restore its data without having to pay the ransom. For larger firms, Simek recommends hardware-based (also called agent-based) backup solutions, which move data to a backup device via software.
If using a cloud backup, ensure that the firm can control the encryption key. Not all backup and cloud solutions will let users do that, says Simek. If users can't define what the encryption key, that means the provider is able to decode the data stored in the cloud (as is the case with Microsoft's OneDrive and Apple iCloud).
"From an attorney’s perspective, the ability to define the encryption key is a crucial differentiator, and something they should look for in a cloud solution," says Simek.
2) Train employees against phishing attacks, which "make up a large percentage of threats." Having great technology will not prevent an attack—the key is to educate employees to recognize and not to click on malicious attachments or links.
Phishing attacks aren't all as obvious as the "Nigerian prince" scam. It's possible, for instance, for threat actors to snag information about court filings, which are public record, and send an email pretending to be the attorney of record sending an updated complaint on a certain case. The attorney receiving the email may see a familiar name and click on the attachment.
The training is worth it because it'll cost "so much more to clean up and recover from an infection, even if it's reputational damage," than it costs to train employees, says Simek.
Some law firms have actually sent out intentional phishing messages as tests to see how many folks click on them, and then using the test results to decide whether some employees need additional training.
3) Patch vulnerabilities and update software. "The No. 1 reason that firms get compromised is they are not applying patches," says Simek, and "the second reason is use of outdated software." Windows XP isn't supported, for instance, nor are Internet Explorer 10 and below.
