Cyber attack crisis management for law firms
Law firms are unfortunately enticing prospects to cyber criminals, due to the high value transactions involved. A robust disaster recovery and business continuity plan are therefore imperative to safeguard against a cyber attack. Lawyer Checker specialise in risk mitigation for the legal sector and sadly know it is a case of when not if an attack may strike.
However, by planning with robust, tested strategies law firms can demonstrate their commitment to defence against ever evolving cyber threats. Here we explore how:
• Cyber criminals otherwise known as ‘threat actors’ have become even more opportunistic owing to the adaptation by most firms to allow for some element of home-working since the Covid pandemic hit. These ‘actors’ know the weakest element to exploit is human nature and so use all variety of methods to try and make illegal financial gains. Hackers are striking more than ever amidst the new homeworking / hybrid culture.
• Phishing attempts are becoming ever more sophisticated. Often criminals will scrape social media to add elevated focus to their phishing attempt.
• Individuals rather than the whole firm may be targeted. There have been instances when fraudsters threaten exposing sensitive material such as explicit pictures of the target’s family members unless they comply with the criminal’s demands. In most cases, no such images even exist.
• The data law firm’s hold is of high value and cyber criminals know this. By threatening that this information will be deleted or leaked, criminals can try to hold a firm to ransom.
• Reputational damage to a firm when a cyber attack happens is huge. Since GDPR regulations changed, such matters can not be dealt with privately, as all conveyancers have regulatory responsibility to report such matters within 72 hours of the attack. The confidence clients, insurers and lenders have in a firm can be permanently damaged in these scenarios.
• Financially a cyber attack can devastate a firm, not only against any threat or ransom but also through follow-up remediation.
• A cyber attack not only damages the firm but the mental wellness of employees and management. The ripple effect of the disaster can be widespread.
• Ensure your basic online security is fit for purpose. In reality, a lot of attacks are relatively low-tech and phishing attempts often rely upon people’s weaknesses. By educating staff members about the importance of security it can help protect against many common threats. For instance the vast majority of people use three main passwords across a multitude of on average 38 sites. Adopting a company password protocol to prevent this is an easy technique to adapt.
• Introducing two-factor authentication provides a higher level of security than methods that rely on single-factor authentication. Two-factor authentication methods generally rely upon the user providing a password as well as a second factor such as a specific code or biometric technological response.
• Giving staff greater systems access controls than they require to fulfil their role can increase hacking risk. Often staff may have enhanced access that they no longer require which can be exploited, so setting staff privileges to the minimum basis is recommended.
• Ensure all devices are patched as some applications have vulnerabilities that are no longer serviced so ensuring this is something your firm does regularly adds another layer of protection.
• Anti-malware software is created to protect IT infrastructure against malicious software (malware). Anti-malware programs scan your firm’s computer systems to prevent, detect and remove malware.
• ‘Exercise in a box’ is a table-top online tool from the Government’s National Cyber Security Centre which helps firms find out how resilient they are to cyber-attacks, practise their response and test their business continuity / disaster recovery plan in a safe environment.
• Always ensure a firm’s business continuity / disaster recovery plan is either printed and stored in a company safe or safely stored on a cloud system separate to the firm’s main infrastructure. So, in the unfortunate event of a cyber attack, you have access to your plans if your firm’s systems have otherwise been hijacked.
• Don’t be silenced when criminals make demands of you or your firm. They pray on vulnerability and exposing them and escalating it by telling others who could become victim is important.
• In the event of an attack, once you have clarity on what information has been breached you can have conversations with your regulator, clients and PII as applicable as per GDPR guidance. Firms are required to inform the Information Commissioner’s Office (ICO) within 72 hours of the firm becoming aware of a breach.
• Implement Cyber Essentials or Cyber Essentials Plus for your firm. Cyber Essentials, a government backed scheme, is the basic level of cyber security a firm should have to mitigate risks from over 80% of common cyber attacks. Cyber Essentials covers five key areas of vulnerability and is recommended by the National Cyber Security Centre for all businesses. Cyber Essentials Plus offers all the same benefits as Cyber Essentials plus an extra level of protection to your firm. Cyber Essentials Plus is independently assessed by one of our expert assessors who will perform an internal and external vulnerability scan as well as checking a sample size of devices to certify your security arrangements to Cyber Essentials Plus level.
Lawyer Checker is a risk mitigation specialist for the legal sector and can assist in implementing online security solutions for your firm. We already work with hundreds of solicitors and conveyancers everyday doing just that. Contact Mark Siwiec from our Cyber Team to take the next steps in defending your firm. Don’t become the next victim.
This article was submitted to be published by Lawyer Checker as part of their advertising agreement with Today’s Conveyancer. The views expressed in this article are those of the submitter and not those of Today’s Conveyancer.