Lawyers, did you know that the Law Society of Ireland have released guidance on how to minimise your business risk of cyberattacks? A surprising number of law firms we speak to are not following all 7 points – and are therefore leaving themselves vulnerable.
The Law Society have publicised a number of legal industry data breaches in 2019, including one in which a law firm transferred €97,000 to cybercriminals. As an IT Services company, we personally have also seen a rise in law firms looking to increase their levels of IT security after a breach has occurred and cybercriminals have gained access to financial or confidential information. As with many aspects of life, when it comes to cybersecurity, prevention is better than cure. Following the Law Society Standard Practices now will reduce your business risk and make it less likely that you’ll experience issues. In this article we will discuss the Law Society ‘Standard Precautions’ and our suggestions for implementing them.
1. Secure your computer and keep it up to date
The key points in the ‘Standard Precautions’:
- All PCs, file servers and mail servers must be protected.
- All security products used must be business standard products. Consumer solutions are not adequate to protect your law firm’s computer systems.
- Every business should have a firewall.
- Your operating system and all other software should be updated regularly and ideally automatically when updates are available.
How you can implement:
- We recommend that all businesses have a core set of business-level security products: a firewall, anti-virus software, email security, data back-up and password management. Take a look at our article to find out more.
- In terms of updating software, we recommend that this is done automatically where possible – in a small law firm, everyone has full workloads and manually running computer updates will always fall to the bottom of the to-do list.
- Another solution is to use an IT Managed Services company. Good companies will include automatic updates for the solutions they support as part of a network support and network security service. You may still need to update any programmes not covered by your IT Support company.
2. Backups
The key points in the ‘Standard Precautions’:
- Regular backups should be taken, preferably on a daily basis.
- You should back up data in multiple locations, such as the cloud and an external portable drive.
- Regular checks should be made to ensure that your backup is working and integrity is maintained.
How you can implement:
- Purchase an online backup system that backs up to a server and the cloud.
- It is up to you whether you choose to check your backup yourself, or use a Managed Backup service from an IT provider, where they will check if for you. Again, you need to make an honest assessment of the resource in your business and how likely you will be to always check it on schedule.
3. Avoid Clicking Through Emails
The key points in the ‘Standard Precautions’:
- Avoid clicking on phishing emails by using the following precautions:
- Open and close each email individually, rather than flicking through them so that you can very authenticity before opening an email.
- Be skeptical of unexpected emails and especially attachments.
- Be especially aware of emails that look like they come from financial institutions. Do not click on any links from banks, you should open your bank’s website directly in your online browser and log in from there. Do not fill in online account or credit card details directly into an emailed link.
- You should also beware of unsolicited phone calls which appear to be from your bank. If in doubt, hang up and then phone your bank back on verified numbers.
How you can implement:
- The advice from the Law Society is all very valuable and should be implemented as best practice.
- However, we suggest that law firm owners supplement this with email security software. Realistically, lawyers can and should be alert to potential phishing scams – but examining each and every email is a time-consuming business, especially when your inbox is full. An email security software will do the majority of the work involved in flagging potentially suspicious emails and will examine emails in a depth (e.g. recency of domain creation) that your employees will not. Employees will still need to be alert to potential scams as per the Law Society guidelines. However, reducing the volume of phishing emails making it through to inboxes reduces the risks of making that one mistaken click and downloading malicious software.
4. Create a strong password
The key points in the ‘Standard Precautions’:
- A different password should be used for every account and changed regularly.
- Passwords should be strong with a mix of upper and lower case letters, numbers, and special characters. Consider using passphrases instead of passwords, for example: “androids dream of electric sheep” can be converted into a passphrase as “@NDR()!DSdmofecSH33P”.
- Avoid using common words or phrases and never use your name, initials or date of birth.
- Do not write down a list of passwords – either on paper or on your computer.
- When creating security questions, remember that the answers do not need to be factually true.
- Use a password manager if you are concerned about how to remember everything.
How you can implement:
- Unless you are confident that you can implement all of steps 1 – 5 in this list, we suggest that you skip ahead to step 6! Realistically, with the number of online accounts for personal and business reasons, unless you have a photographic memory you are unlikely to remember an entirely unique password for every one.
- If you change just one thing today, delete the list of password on your computer. If for some reason you are hacked, you are essentially giving cybercriminals the keys to your entire online environment.
5. Train employees
The key points in the ‘Standard Precautions’:
- Ensure that all employees are aware of the IT security precautions mentioned elsewhere in the document and follow best practice.
- Specifically educate employees on:
- The dangers of opening files from unknown sources.
- How to verify hyperlinks by hovering over the hyperlink and checking the file path before clicking.
How you can implement:
Thorough employee training on information security is vital for every law firm, no matter the size. The good news is that there is a lot of high quality, free cybersecurity training available that you can adapt for your business. You could also hire an IT Provider to run a cybersecurity training session.
6. Access/ Hardware/ Encryption
The key points in the ‘Standard Precautions’:
- Ensure that staff only have access to the files which they require access to.
- If a member of staff leaves the practice ensure that their account is closed and access rights are revoked, to prevent unauthorised access at a later date.
- Ensure that inappropriate websites cannot be accessed from the practice’s systems.
- Try to eliminate the use of USB sticks. Ensure that any removable devices are scanned for malware and that unapproved devices are not connected to the practice’s system.
- Try to minimise the use of email attachments.
How you can implement:
- Your case management system may have in-built access control that allows you to determine which employees can see files. Otherwise, you can find more manual ways of limiting access.
- A case management system can also help you to minimise the use of email attachments and removable devices internally, as you can store all of your documents centrally. However, it will probably not eliminate the need to email attachments to clients.
- A high quality firewall should also have the ability to block undesirable websites such as gambling websites. You can manually set up your firewall’s website policities, or work with your IT provider.
- We suggest that you have a defined process for those leaving your company. This means that it becomes a ‘tick box’ exercise rather than trying to remember every time if you’ve changed the password for a particular software!
7. Risk Management Policy
The key points in the ‘Standard Precautions’:
- Ensure that an appropriate risk management policy is in place. Ensure that staff are aware of the policy and that any breach of it is considered a disciplinary matter.
- Cybersecurity should be put on the agenda for every management meeting, including reviewing the effectiveness of procedures and how well staff are adhering to them.
- A plan should be in place for if a successful cyber attack does occur. This should include a plan for handling the practice and customers, to minimise the loss of trust.
How you can implement:
- Lawyers are (mostly) not IT experts, so it’s easy to put it to one side and focus on the business of running a law firm. However, if you do take the time to ensure that fundamental cybersecurity systems are in place and your employees are following them, you will reduce your level of risk and prepare yourselves for if the worst does happen.
Are You Following the Law Society’s ‘Standard Precautions’ for Cybersecurity?
If you don’t tick all of the boxes mentioned above, then now is a good time to start upgrading your cyber security! Whether you do it all yourself or decide to work with an IT provider, it is critical that you keep the sensitive information, client and financial data at the heart of your business secure.
If you need any help or advice, please just get in touch through our contact form.
