The common elements across all law firms when it comes to protecting them from hacking attacks are:
- Your document management system
- Your case management system
- Your filing system
- Printing management systems
- File sharing and collaboration
- Phone management systems
- Email – and in many cases, if a hacker gains access to someone’s email, they also gain access to all of the above, as usual, the username/password combination works everywhere
- Domain records – if someone gains access to your domain records, they automatically gain access to all your email records. Most people never thought of that. If you own lawfirm.com and all your emails end with lawfirm.com, then if a hacker/competitor/ foreign government gains access to lawfirm.com, they automatically start receiving all emails destined to your email recipients. They also gain access to all your corporate systems as now they can reset all passwords for all IT systems. Domains are CRITICAL.
The approach to protecting the above varies from law firm to law firm, but here are the six ways to improve your defense capabilities in protecting from hackers:
Protect email access
You might think that protecting access to email is self-explanatory, but it’s not. Yes, emails contain a lot of confidential information. However, if one has unauthorized access to your email, they also gain access to your filing system, document management system, file sharing system, phone management system, printing management system, and everything in a company. That’s how IT infrastructure works almost everywhere, and law firms make no exception.
Security Awareness
A crucial element of your defenses is how well everyone is aware of the cybersecurity risks out there. All associates, interns, and attorneys should know how dangerous it is to open a link with a fake login form on it – it may look like an internal company page, and they need to know how to recognize fake ones. An element often ignored here are the managing partners – because of their seniority, they usually get to bypass mandatory security training. Bypassing security controls is a critical strategic mistake – they are the ones who should receive the most and the highest quality security training instead.
Monitoring
Has anyone accessed your filing system from China on a given Saturday? If you can’t answer that question, you don’t own your filing system, or your DMS, or your file sharing & collaboration systems. If you can’t answer that question, you have no control over your IT infrastructure, and someone else likely has control over it without your knowledge.
2-factor authentication
Some of the most technologically advanced companies globally are moving away from their dependence on passwords. If you want to know why take a look at this infographic: https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
The data above shows that all organizations stored user passwords, and all those passwords are now known to hackers globally. What are the chances someone, somewhere used the same password as Managing Partner John Doe in your law firm? Pretty high. Guessing passwords or enumerating them in a hacking attack is easy enough for teenagers to do – and they do it. The difficulty of breaking password-based security is extremely low – that is why you must use 2-factor authentication.
Don’t rely on your antivirus
All it takes to understand how reliable are antivirus programs is to do a simple google search: “bypass av.” Anyone who can google can bypass your antivirus, no matter its vendor, brand, or marketing virtues. Instead, build systems capable of blocking unknown or unauthorized programs in your infrastructure.
Trusting your IT team or outsourced provider for security is a recipe for disaster
Your IT department, be it in-house or outsourced, is good at building IT systems and maintaining them. They might have realized the profits in cybersecurity and have started also selling antivirus programs, firewalls, IDS/IPS (intrusion detection and prevention) systems.
Remember, all of the companies hacked in the past had the same combination of antivirus and firewall, often with IDS/IPS and many other bells and whistles.
IT firms are good at IT – they are not good with security – it is evident from every law firm we have assessed so far. In most cases, as an IT security company, we have to re-architect and re-configure every piece of hardware and software they have installed because of the critical security vulnerabilities found in them.
To learn more about the topic, visit our research paper: cybersecurity for law firms.