The common elements across all law firms when it comes to protecting them from hacking attacks are:
- Your document management system
- Your case management system
- Your filing system
- Printing management systems
- File sharing and collaboration
- Phone management systems
- E-mail – and in many cases if a hacker gains access to someone’s email, they also gain access to all of the above, as usually the username / password combination works everywhere
- Domain records – if someone gains access to your domain records, they automatically gain access to all your email records. Most people never thought of that. If you own lawfirm.com and all all your emails end with lawfirm.com, then if a hacker / competitor / foreign government gains access to lawfirm.com, they automatically start receiving all emails destined to your email receipients.. they also gain access to all your corporate systems as now they can reset all passwords for all systems. Domains are CRITICAL.
The approach to protect the above varies from law firm to law firm, but here are the six ways which will definitely improve your defense capabilities in protecting from hackers:
Protect e-mail access
You might think that protecting access to e-mail is self-explanatory, but it’s not. Yes, emails contain a lot of confidential information – however if one has unauthorized access to your email, they also gain access to: your filing system, document management system, file sharing system, phone management system, printing management system and .. well, everything in a company. That’s how IT infrastructure is designed almost everywhere and law firms make no exception.
A crucial element of your defenses is how well everyone is aware of the cybersecurity risks out there. All associates, interns, attorneys should be well aware of how dangerous it is to open a link with a fake login form on it – it may look like an internal company page, and they need to know how to recognize fake ones. An element often ignored here are the managing partners – because of their seniority, they often get to bypass mandatory security training. This is a critical strategic mistake – they are the ones who should receive the most and the highest quality security training instead.
Has anyone accessed your filing system from China on a given Saturday? If you can’t answer that question, you don’t own your filing system, or your DMS, or your file sharing & collaboration systems. In fact, if you can’t answer that question, you have no control over your IT infrastructure and it is very likely someone else has control over it without your knowledge.
Some of the most technologically advanced companies globally are moving away from their dependence on passwords. If you want to know why, take a look at this infographic: https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Looking at the data in the link above you can see, that all these organizations stored user passwords… and all those user passwords are now known to hackers globally. What are the chances someone, somewhere used the same password as Managing Partner John Doe in your law firm? Pretty high. Guessing passwords or enumerating them in a hacking attack is easy enough for teenagers to do – and they do it. The level of difficulty in breaking password-based security is extremely low – that is why you must use 2-factor authentication.
Don’t rely on your antivirus
All it takes to understand how reliable are antivirus programs is to do a simple google search: “bypass av”. Anyone who can google can bypass your antivirus, no matter its vendor, brand or their marketing virtues. Instead, build systems capable of blocking unknown or unauthorized programs in your infrastructure.
Don’t rely on your IT provider
Your IT department, be it in-house or outsourced is good at building IT systems and maintaining them. They might have realized the profits in cybersecurity and have started also selling antivirus programs, firewalls, IDS/IPS (intrusion detection and prevention) systems – remember, all of the companies hacked in the past had the exact same combination of antivirus and firewall, often with IDS/IPS and many other bells and whistles. IT firms are good at IT – they are definitely not good with security – it is evident from every single law firm we have assessed so far. In most cases we have to re-architect and re-configure every single piece of hardware and software they have installed because of the critical security vulnerabilities found in them.