Cyber criminals are looking to invade your firm. Here’s what you should do
There’s no getting away from it: cyber criminals are stalking the internet and preying on the technologically vulnerable. Law firms are particularly at risk because they hold huge amounts of sensitive commercial and financial data, and intellectual property.
And lawyers are still not up to scratch when it comes to managing the risks posed by cyber criminals. The Law Society warned the profession last October that solicitors and law firms must make the development of staff skills and understanding of cyber security a priority. It launched a bespoke training package for solicitors for good measure.
So are you ready? We highlight four risks, and four ways to ensure you’re ready for battle.
- Ignorance: some lawyers like their lack of knowledge of the dangers. The less they know of the risks, the easier they can evade responsibility. But there’s no place for burying your head in the sand when you’re working in a profession that places a legal obligation to comply with the Data Protection Act, and a duty of confidentiality to your client under the SRA Code of Conduct.
- Avoid a cover up: don’t brush a hacking incident or any other breach of online security under the carpet. No organisation is immune from cyberattack (think about Sony’s recent ordeal) and transparency is critical. In reality, attempts to cover up a breach are likely to lead to further, more serious breaches and can be a death sentence for a law firm. Apart from anything else, it’s a criminal offence to fail to report a breach.
- Password risks: rethink your password, particularly if it’s ‘123456’. You may chuckle at the stupidity of it, but this was the most common password in 2013 according to a new report, followed closely by – wait for it – ‘password’. Make your password problematic for hackers. Do you use your browser to store passwords? This is a highly risky practice and you should consider using a password manager instead. Browsers store passwords in plain text which means they are not encrypted, and therefore easily accessible to others.
- Online activities outside work: take great care when sharing information on social media and other websites. It’s easy to let your guard down and release personal information online for everybody to see, when you wouldn’t countenance doing so in the office. If you use mobile devices for work purposes, check your firm’s BYOD policy, which will almost certainly require you to ensure it has security software installed.
- Get training: GCHQ says basic information risk management can prevent up to 80 per cent of attacks. The ‘pure’ IT side of cyber security involves highly technical stuff that’s enough to make even experienced technology lawyers’ eyes glaze over (ever heard of third-party vulnerability scans, penetration tests and malware scans?). However, being versed in the risks you may come across and the essentials of preparing for those risks will help protect your clients, you and your firm.
- Don’t underestimate your clients: practicing law in the 21st century means the majority of a law firm’s information provided to and by clients is done electronically. Your clients invariably want to know that their personal, commercial and financial information is safe. Having ISO 27001 certification provides clients with reassurance that a firm is dealing securely with their information. Find out if your firm has this, and if not, take the opportunity to get your firm to apply.
- React immediately: if you suspect the firm’s IT has been breached, and client data has been hacked, act on it quickly. Notify the firm’s chief information security officer/compliance officer, if you have one.
- Get devices approved: it’s fun to have a shiny new tablet or iPhone, but if you’re going to use it at work ensure it’s approved if you want to connect it with the firm’s systems or networks – even for remote working.
Cyber criminals are getting increasingly sophisticated by the day. Keeping up with them in every way might be unrealistic, but taking proactive steps is vital. NL
For detailed advice read the SRA’s risk resource, Spiders in the web: The risks of online crime to legal business.