Recent cyberattacks, such as those involving the WannaCry and Petya ransomware, have shown the vulnerability of businesses around the world to IT intrusions. Cybersecurity threats are not going away, and law firms, which house important client data and information, have an especially big target on their backs.
In 2015, more than 62 percent of law firms reported a breach, according to a report by PwC. These breaches can quickly spiral out of control. Access to just one lawyer’s computer, for instance, can allow hackers to reach the law firm’s entire network and access valuable employee and client data — a digital pot of gold for cybercriminals. With access to client information, hackers can impersonate lawyers and target clients in an effort to engage in attacks such as wire-transfer fraud.
Now more than ever, it is important that law firms step up their defenses. Fortunately, there are actions law firms can take today to combat cybercriminals, prevent financial and public-relations disasters, and protect employees and clients.
Get control of devices
The use of non-standard devices, such as personal laptops or iPads, presents one of the biggest sources of trouble for law firms. To their credit, lawyers are extraordinarily hardworking, but this means that many opt to work on their personal computers in and out of the office.
This practice can be risky because internal IT teams are often unable to monitor personal computers and may not have an opportunity to update them with the latest security software. So, if a lawyer’s personal computer is compromised, hackers could conceivably rummage through it undetected, accessing documents and emails.
For these reasons, law firms need to make certain that all lawyers — even the most experienced and senior partners — work only on their company-issued computers. This allows the IT team to install and properly maintain anti-virus software, update patches, monitor suspicious activity and combat any threats as soon as they appear.
Stamp out unapproved RATs
Like non-standard devices, remote-access tools, such as LogMeIn, TeamViewer and GoToMyPC, can give rise to security concerns. Lawyers working remotely — even on a corporate laptop — may download a RAT to view files on a desktop computer in the office.
The trouble is that some RATs offer an easy avenue of entry for hackers. Further, RATs typically send credential information through email, making it easy for cybercriminals to capture those credentials and use them to break in. This can be compounded when a hacker breaks into one computer using a RAT and then gets to other computers on the same network. User-to-user traffic is not as closely monitored as user-to-internet or user-to-server traffic and even the best IT teams may not immediately notice the threat.
Remote access can be necessary, so law firms should ensure they have a single, standard, approved RAT that is used by the entire company and monitored by IT. Additionally, the IT team should immediately take action to explicitly block all other RATs from being used. If all lawyers are using the same tool, it is easier for IT to monitor and prevent cyberattacks.
Another common error many law firms make is putting vendors on the same network as their lawyers. It is common for breaches to come through vendors, and having them on the same network makes it much easier for hackers to access important corporate information.
Let’s say, for example, that a law firm’s elevator system is on the same network as the server that houses case files. If hackers get into the elevator system, they don’t have far to go to gain access to the law firm’s most important data and information.
The best solution is to segment vendors into their own, separate networks. There is no need for vendors to be using a network that houses confidential client information. While segmentation may take a bit of effort, it is necessary in order to minimize backdoor access points to the firm’s network.
Although the hope is that security policies and IT vigilance will prevent cyberattacks, firms also need to provide employees with the knowledge and skill needed to combat attacks. Law firms should regularly train employees on new attack methods, teaching them how to identify and report suspicious emails and how to respond in the event of an attack. There are many user-training programs that will teach lawyers what to look out for, how hackers break into computer systems, and what to do if they fall victim to an attack. Law firms can also distribute mock phishing emails to test employees’ awareness.
Additionally, law firms should always be prepared for the worst. All organizations should have an incident-response plan in place that takes effect should a cyberattack occur. The compliance officer role is increasingly best suited to be the initial point of contact in the event of a breach. This person can take charge during a cyberattack and work with lawyers, IT teams and others to stop an attack and begin a multipronged response that includes everything from forensic investigations to communications with clients and the press.
Law firms that establish strict companywide policies to minimize their vulnerability, insist on vigilance throughout their organization and ensure they are prepared using incident response plans will be more secure and ready to take on any cybersecurity threat.
Mark Shelhart is the director of incident response