Law firms have become an increasingly popular target for cybercriminals. As most client data is now collected and stored in a digital format, firms have had to step up their cyber security measures accordingly.
Despite this heightened vigilance, many law firms are still convinced that they are either too small, or too unknown to catch the attention of hackers. But the rate at which small and mid-sized businesses of all types have been targeted in recent years has prompted the FBI to issue a warning about the dangers cyber crime poses to this demographic.
A likely explanation for this trend might be that in general, hackers are always on the lookout for an easy score, and smaller firms tend to be less work for them to gain access to. A hacker may only be interested in stealing personal data from employees, or they could be searching for an access point to infect a firm’s network with malware.
Firms that have ties to corporate clients might be facing a higher level of risk. Other corporations with dubious morals, or even foreign intelligence agencies are suspected to be using hired hackers to steal corporate secrets and other pieces of valuable and sensitive information for their own gain. Whether these criminals are targeting firms on their own, or on behalf of another entity, it’s important to remember that hackers are always in search of data that can be leveraged for a financial payout.
Exact information on how frequently these attacks are happening is hard to come by. Most firms avoid announcing publicly that they’ve been hacked out of their own self interest; news of a data breach can do irreparable damage to a firm’s reputation, which is a firm’s greatest asset. But most are willing to admit that information security is a top priority, and a top area of investment when it comes to their overall IT infrastructure.
It’s become common practice for mid-sized US firms to require employees to sign off on in-depth privacy and compliance policies, and certify that they are following these safeguards to the letter. The single greatest IT security weakness for any type of business is that business’ staff.
A common tactic is phishing scams, wherein a cybercriminal compromises employee credentials by waiting for a distracted or oblivious employee to click on or open an infected link or attachment sent to their inbox, granting the hacker access to the firm’s network. Once inside, the hacker can use this compromised email address to reach out to other attorneys higher up the chain to gain further access to sensitive data, or as a stepping stone to a larger firm, or even the client themselves.
Once a cybercriminal is inside your network, they tend to stay there for a period of time, quiet and out of sight. The longer they can remain undetected, the more information and intelligence they can steal. A hacker can lurk inside a compromised network for months before being discovered.
Firms that rely primarily on technology for communication between staff and associates have started hiring White Hats – security experts who hack exclusively to test security measures – to purposely infiltrate their network. The best way to find out where your firm’s security weak points are is to have someone breach them, and it’s preferable that the individual doing the breaching has your best interests in mind. This type of security testing is often offered as part of an IT service package from a Managed Service Provider (MSP).
These tests have shown that along with phishing scams, the most common entry points for hackers are phone scams that involve cybercriminals posing as IT staff to coax passwords out of unsuspecting marks, theft of laptops or mobile devices, or simply walking in to the office and helping themselves to paperwork containing information they can use to their advantage.
This also speaks to a greater issue with the way data is shared between your employees. The use of portable storage devices such as USB sticks or personal portable hard drives should be limited, if not eliminated completely. Employees working remotely – either from home, or while travelling – should be accessing data from a virtual desktop, rather than directly from any type of storage or mobile device, including laptops. This will prevent a misplaced or stolen device from becoming a security risk.
These hacks have become so problematic that operating under the assumption that you have already been compromised and working from there is the best approach to IT security. There are six basic steps a firm can take to step up defenses from this point:
- Ensure staff in leadership roles are aware of threats, and the importance of staying vigilant. Having one or more senior partners responsible for IT security activities allows for more communication between IT personnel and upper management, and keeps security concerns from going unaddressed or falling to the wayside.
- Have antivirus and antimalware software installed that protect against known viruses. It’s vital that these programs are updated regularly, and are centrally managed.
- Update email spam filters continuously. As phishing scams remain a go-to for hackers, filters need to be kept current in order to effectively screen for and intercept suspicious emails.
- Run an analysis program that monitors systems and networks for unusual behaviors, activities, or programs. Also known as host-intrusion protection (HIP), these programs are designed to detect specially-developed malware that fools conventional antivirus and antimalware software.
- Develop a Disaster Recovery Plan. This plan should include who needs to be notified if a breach occurs, and what actions need to be taken to minimize damage and disruption to the firm while still protecting your data and determining the source of the attack.
- Implement ongoing cyber threat awareness training. Each member of your staff, regardless of their position, needs to be properly and continuously educated on the latest threats. A level of awareness right across the firm achieved through training programs and best practices is crucial. This will keep your security’s weak link from becoming its Achilles Heel.
Data Magic Inc. can help with implementing and maintaining each of these steps as part of a complete and comprehensive overall IT security program. Just as your area of expertise is the law, ours is protecting firms just like yours from the threat of a cyber-attack. Just this once, let someone else do the defending for you.