Legal Business

Legal tech sponsored briefing: Law firms targeted by cyber criminals – six fundamental steps to being secure

Kaspersky; LB282 May 2018

In the wake of several high-profile attacks on law firms, Kaspersky Lab’s principle security researcher David Emm describes key ways firms can combat cyber crime

Cyber attacks are consistently making the news, with high-profile stories like NotPetya, WannaCry and Shadow Brokers seemingly taking place on a monthly basis. Businesses of all shapes and sizes are increasingly concerned about the impact that cyber crime may have on them. For law firms, the threat is particularly apparent and they are targeted for two key reasons.

The first is that law firms hold highly-sensitive data that has inherent value to other parties. The other reason is that firms are simply businesses that are connected to the internet and, as a result, are at risk of being included in extortion-like attacks, similar to the WannaCry ransomware attack.

The legal sector is an attractive target and it is dangerous for smaller firms to assume that only large, multinational firms are on criminals’ radars. While news of large-scale breaches at well-known firms may grab the headlines, small and medium-sized businesses remain the victims of many attacks and the least likely to fully recover afterwards. In fact, as many as 62% of cyber attacks target small businesses and the average cost of recovery from a single security incident is estimated to be £67,500.

Although partners increasingly understand the risks that cyber attacks pose to their businesses and clients, they can also struggle to implement the right solutions to help mitigate the threat.

Where to start?

The most important starting point on the road to securing your law firm is
the realisation that you are a potential target. Here are six steps law firms must
take to bolster their IT security:

1. Have a security strategy

Have an IT security policy that employees must follow, from passwords to customer privacy and data classification. Part of the strategy should also be to develop an annual audit and assessment plan that evaluates cyber security practices and identifies vulnerabilities.

2. Implement essential security practices

Most clients will expect a minimum level of security measures to be in place to protect their data. Can your firm show that it has processes for the blocking and tackling aspects of information security, such as patch management, virus protection, firewall configuration and intrusion detection?

3. Secure your data

Make regular data backups, record what is backed up and conduct tests frequently to ensure they are reliable. Encrypting all your sensitive data will also ensure that, should you fall victim to a cyber attack, client data will be that much harder for criminals to make sense of.

4. Access controls

Identify and classify client data within its environment and check that it restricts access to a need-to-know policy.

5. Training and education

Education on the risks associated with opening email attachments from unknown senders, or sharing large files via unsecure cloud services, is critical.

6. Outsource what you cannot do

Finally, if you think that your business might lack the resources (capital or human) to handle a task expertly, hire a partner with the knowledge that can.

Firms that view cyber security as an opportunity, by investing in the right protection, can demonstrate a renewed level of commitment to client security and make it a key part of business relationships. Though cyber attacks are constantly evolving and there will always be new trends to confront, those firms that invest in data security best practices by following these crucial steps have an opportunity to distinguish themselves from their competitors.

For more information, please contact:

Kaspersky Lab
2 Kingdom Street
London W2 6BD

T: 020 3549 3499

www.kaspersky.co.uk

To return to the Law Tech Focus menu, please click here.