Dealing with a cyber-attack can be eye-wateringly expensive, not to mention stressful, time-consuming and damaging for your reputation. Whilst cybercriminals are increasingly ingenious, they are also largely opportunists, which means there is a lot that law firms can do to protect themselves from an attack, as Stephen Brown of Lights-On Consulting explains.
Hackers deal in data and each piece of data has a value – from a solicitor’s username and password, through to the contact details of your clients. Data can be sold and re-sold, helping cybercriminals to build a better picture of your firm and its vulnerabilities. The motivation for cybercrime will generally fall into one of the categories described below.
Hackers target firms specifically for the work they do. For example, hackers may be interested in a firm with a list of celebrity divorce clients as there is money to be made from selling information to the tabloids. Firms strong in M&A work can be targeted by cybercriminals looking to influence share prices and we also see firms being targeted as they are part of the supply chain for a bigger business that is too well protected, so the hackers ‘get in’ via the law firm (colloquially known as “the soft underbelly”).
If your firm is involved in work that people may not agree with, you may be vulnerable to attacks by ‘hacktivists’. These hackers are generally motivated by social or political reasons, but the results for your firm can be just as devastating.
The vast majority of cybercriminals are, however, opportunists. In the same way that a burglar will be adept at spotting a house with a window left open, or a car parked on a dark street with valuables on display, hackers will target firms that are the easiest to break into. Your job is to encourage them to look elsewhere.
What can you do to encourage hackers to look elsewhere?
1. Make cybersecurity someone’s job outside of IT
Cybersecurity cannot be left to the IT team alone. Ideally, you need senior stakeholders from three key areas: technology, process and people. You should have a cyber response/information security team and ensure that this team regularly practises scenarios.
2. Get the cyber hygiene basics in place
If you haven’t already done so, get multi-factor authentication and vulnerability scanning in place. There is no longer any excuse not to have this set up and it will reduce your vulnerability significantly. Put in place a retention policy for emails as it will minimise damage if a hacker does get into your email. Review your password policies and make sure they are enforced for ALL staff. Close down accounts when people leave (would you let them keep a set of keys to the office?).
3. Regular cybersecurity reminders and training
Cybercriminals play on human vulnerability. Lockdown has meant that many people are busy, a bit more stressed than usual and probably working alone at home. This makes them much less likely to query an unusual email. Regular reminders about cybersecurity are essential, together with ensuring individuals know to report immediately if they have clicked on a link or been compromised in some way.
4. Reduce your ‘attack surface’
In straightforward terms, the more you have switched on in your system, the more you have to protect. It is a trade-off between functionality and risk but ensures you know what is switched on by default in platforms such as Office 365 (Cloud platforms generally switch everything on) – and turn off anything you don’t need. For example, rules that allow auto-forwarding of emails, allowing web access to your O365 or old email access mechanisms (called IMAP and POP3).
5. Identify the crown jewels in your data set – and prioritise their protection
When you get that phone call to tell you you’ve been hacked, where do your thoughts immediately go? What data are you most worried about losing? Financial data? Client data? HR data? The reality is that we can’t protect everything, so you need to identify your ‘crown jewels’ in the data set and build out a strategy to protect it.
6. Find out what data about your firm is for sale
Discovering how much of your data is for sale on the dark web can be terrifying – but it’s an important step in helping you to understand your firm’s risk profile.
7. Opt for the ‘principle of least privilege’
When it comes to software and systems access, you should set this on a user-by-user basis and only add access as you need to. Do all staff members need access to the practice management system for example? This is a key step in reducing your ‘attack surface’.
8. Segregate IT administrator and user accounts
Without segregation, if hackers can get into the IT manager’s emails, they can most probably hack the whole system. It’s a simple fix, but a critical one.
Alongside making your firm unattractive to cybercriminals, you also need a plan in case they do ‘get in’. We recommend these five steps in responding to a cyber-attack:
- Stay calm (easier said than done!). Inform your cyber response team.
- Contain it: work out what is going on and close the gap immediately. This might mean short-term drastic action such as stopping all email traffic or unplugging from the internet!
- Remediate: establish categorically how the hackers got in. Make sure you have clear evidence, and that the facts and the narrative align.
- Learn from it: what will you do next time to ensure it can’t happen again? Apply these lessons back into the business.
- Duty of care and reporting: know your obligations for reporting the incident and inform those involved or required.
You will probably need specialist skills to help you through these stages, so we would recommend having a partnership in place with an expert cyber adviser. A little bit like when the boiler packs up on a Sunday evening, it’s generally cheaper (and far less stressful) to call out your service company than it is to try and find an emergency plumber post-event.
The harsh reality is that almost every business will be hit at some point or in some way. Even a fairly ‘basic’ attack can cause major disruption to a business and cost many tens of thousands to put right, if you don’t have the appropriate cyber hygiene practices in place.
Get the basics right though, and you will reduce both the likelihood and the scale of damage from a serious cyber-attack.