Law firms face a greater threat of cyber attacks due to the client data they hold and the increasing availability of technology that facilitates such attacks.
The recent WannaCry ransomware attack has led to calls for all law firms to increase their cyber defense strategies to prevent both internal and external threats.
According to PwC, cyber attacks on law firms have increased by 60% in the past two years, with the most recent Natwest Legal Benchmarking survey finding that 24% of 269 law firms had experienced a fraud-related loss or cyber attack in the year ending April 2016.
Navigant and DigitalLaw UK have outlined some steps that all firms should be taking regardless of their size.
“Consider having an information security gap analysis to find out where the vulnerabilities are,” said Peter Wright, solicitor and managing director of Digital Law UK. “Then implement an advanced and persistent threat-detection system and have a “cyber wargame” so if D-Day happens, a plan will be in place.”
He also suggested firms should make an air-gapped PC available in a secure room, which can be used as a basis of operations to deal with the immediate aftermath of a cyber security breach. Firms should also ensure that they have good cyber liability insurance, although this will not cover everything.
John Boles, director of business consultancy at Navigant, suggested firms adopt the principle of least privilege by making sure that “employees or people who can access your system only have the access needed to do their job. If someone is leaving cancel their access immediately, but also if someone is moving jobs within the law firm, make sure they don’t take their previous access with them because they don’t need it.”
Associate director at Navigant, Ben Donnachie, said that companies “need to be training their people to be suspicious. If you receive emails that look odd, don’t start clicking on things. Anti-virus software isn’t completely effective, so don’t trust it. Know where your sensitive data is stored and put systems in place to protect it from any malicious attacks.”
“It’s a matter of time before all organizations are going to be breached,” Donnachie said. “Make sure your strategy is fit for purpose. Have an incident response plan, test it, and make sure it works.”
