32% of Spanish companies were victim of some type of cyberattack in 2016, according to the International Business Report from the consultancy company Grant Thornton. This percentage also includes law firms, for whom suffering a cyberattack could result in serious problems, given the quantity of confidential information and personal data that they manage.
How can law firms protect themselves against the risk of a cyberattack? In this post we outline 10 tips to avoid a cyberattack in your law firm.
This post is also available in Spanish.
Cyberattacks in law firms
Many cyberattacks are already affecting law firms.
Recently, a variant of the ransomware software Petya affected the DLA Piper law firm, which has offices in more than 40 countries. Four days after the cyberattack, its lawyers were still unable to access their email accounts.
And in the case of the leak of confidential documents known as the Panama Papers, Mossack Fonseca, the law firm that fell victim to the theft, denounced that the cause was a cyberattack from a European hacker.
Although in this later case it was not confirmed that the leak of confidential information was caused by a cybercriminal, there is no doubt that law firms are vulnerable to cyberattacks. And suffering from one may cause economic and property damages to your clients, also resulting in a reputational crisis.
32% of Spanish companies suffered a cyberattack in 2016 according to the
consultancy company Grant Thornton.
Source in Spanish: Expansión
It's no secret that law firms handle and store confidential information and personal data from clients on their servers: financial history, criminal and medical records, intellectual property, court testimony, etc.
And all of this material is susceptible to extortion, through theft or blackmail, which is possible thanks to the virus called ransomware. This computer program can block access to devices and encrypt documents or files.
If devices are infected and blocked with this malicious software, you loose access - and therefore control - of all the information these encrypted files or documents contain. And in order to decrypt them, the hacker responsible for the attack usually asks for money, normally in the form of bitcoins.
In this context, in this article we share 10 tips for law firms to reduce the risk of becoming victims of a cyberattack, whether it be from ransomware or any other type of computer attack.
How to prevent a cyber attack in a law firm: 10 tips
Be aware of the risksFirst, it's vital that the company’s management becomes aware of the risks posed by not managing (or poor management) of cybersecurity. Resources must be dedicated to reduce cyber risks.
Conduct a cybersecurity risk assessment
Before making decisions regarding the procedures or tools to be implemented, you must perform a cybersecurity risk assessment. For that, it's recommended to hire an external professional service to perform an audit of computer risks.
When you have the results, it will be easier to define what measures to implement and which ones are priorities.
Review your security policies
Once this external audit has been carried out, the security policies and procedures already in place should be reviewed. What are you doing right, what should be improved and what new measures should be implemented, given the results of the cybersecurity risk audit?
Select security programs
In addition to reviewing the security policies and procedures, you should also review the computer tools being used: operating systems, browsers, antivirus, etc.
On the other hand, the latest versions of all software tools and programs should be installed, although you should also consider if these solutions are the ones that should be used in the office.
Control access to information
It's essential to establish a policy to control access to information through the use of secure passwords. Ideally, the law firm should have access to a system that uses double or triple user authentication.
>> Related post: Is the two-step SMS authentication really safe?
Implement a backup copy
It's also important to have a backup policy that guarantees that the backup will be done frequently. It’s important to store the backup files in secure servers.
Limit the use of external devices
To minimize the risk of suffering from a cyberattack, you should limit the use of USBs, as these types of devices are often the gateway for hackers to enter the corporate computer systems.If for your work methodology it's very difficult to limit the use of these devices, you should at least design action policies in case a cyberattack happens. Especially if the company follows the trend called BYOD- Bring Your Own Device - which is also applicable to personal mobile phones that employees use too access company files.
Use secure data sharing systems
It is advisable to limit user access to the most sensitive information, and avoid sending it by email. To share files, it's better to use cloud solutions that use strict security protocols, either by encryption or by relying on multifactor authentication.
Revoke access from former employees
Any company should be very diligent in revoking access rights from former employees, especially in situations of disciplinary firing or an unfriendly ending.
Ongoing training in the prevention of digital risks
Lastly, we must focus on ongoing staff training regarding the risks of cybercrime and the recommended procedures to avoid it. For that, simulations can be done on how to identify and deal with threats such as spear-phishing, in which just opening an email can cause a serious security breach.