The Panama Papers, in which 11.5 million confidential files of lawyers Mossack Fonseca detailing clients’ financial arrangements were leaked in 2016, should have been a wake-up call for every law firm about the potentially devastating effect of a data breach. You shouldn’t be in any doubt that hackers are already testing many law firms’ IT systems for weaknesses they can exploit to break in and steal information.
Why lawyers are magnets for cyber criminals
Lawyers are attractive targets to hackers because they have vast repositories of sensitive data. Lawyers’ files contain clients’ most intimate personal and business details – a magnet to cyber criminals, who can sell them on the dark web or encrypt them to extort a ransom. And because most law firms do not view themselves as being potential targets their IT-security defences are low, making them easy prey for cyber criminals.
As many companies’ IT networks have no internal firewalls installed, once a hacker has gained access to a system – often through an employee inadvertently installing malware by clicking on an innocuous-looking attachment in a very convincing fake email – then he has open access to rifle through every file on it, searching for the most sensitive information.
Law firms could face financial penalties for data breaches
In 2014, the Information Commissioner’s Office ‘sounded the alarm’ about the legal profession’s data risks, warning that the damage caused by a loss of client information would probably warrant the regulator issuing a financial penalty to any law firm that suffers a breach.
The Solicitors Regulation Authority has information security as one of its priority risks, and advised its members to follow the government’s Cyber Essentials scheme and to train their staff to try to avoid falling for common cyber attacks, like downloading malware through fake emails.
But in our experience, many lawyers remain unaware of the risks hackers pose to their businesses. So here are a few simple, but crucial, steps to help stop your firm from becoming a victim.
Senior management needs to ‘own’ the problem
The threat to law firms is so varied – from hacktivists publicising a cause to professional criminals trying to make money to nation states spying on others – that the leadership and coordination required for a robust a data security strategy could only come from a managing partner.
Increasingly, if your law firm acts for large corporate clients you may be required to comply with their own information security procedures to ensure their IT systems remain secure. For example, Bank of America Merrill Lynch now audits the cyber defences of its outside law firms. It’s therefore important your clients know you are taking the threat seriously.
Decide which of your data is sensitive
Your first step should be to decide which information that you hold would cause your firm and your clients most harm if it was stolen. Next, find out all of the places where it is stored. This can include employees’ mobile devices, laptops and home computers – an Achilles Heel for any firm’s IT security cordon, as they may contain viruses that, when plugged into the company’s computer network, can quickly infect the whole system. Then, set controls on who in your firm can access that data, and how. For instance, should staff be allowed to access and download data onto their own devices? If so, should it be encrypted?
So many data breaches that occur within firms are simply the result of human error, in our experience, which could have been prevented if a company’s IT security was better. Often, this is simply a case of better housekeeping. So for example:
1. Are your staff members’ passwords strong enough and regularly changed?
2. Have you audited the number of active login credentials there are for your system, and do these match your number of employees? Often, this simple exercise can show there are plenty of former employees’ logins that remain active – and, in some cases, are still being used after that person has left your company.
Your employees are your first line of defence – and biggest asset – in helping to keep your data safe. So make sure they are aware of the need to keep client data safe and what to do if they think they receive an email that might be malicious.
Mistakes do happen, so it is worth considering offering staff a method of reporting data breaches anonymously or without fear of being dismissed. The key is to act quickly when a breach occurs, but your staff members won’t have any incentive to notify you if they think they face disciplinary action for their error.
Also, let employees know how they should report any suspicions they may have about a colleague’s actions. It’s also possible for you to set up alerts which flag the unauthorised transfer of sensitive data, such as by file transfer, email, instant messaging or onto USB sticks.
Review your procedures regularly
Hackers are constantly updating and refining their tactics, so you need to do the same for your defences. Security software can only detect known viruses and malware, so you can’t rule out the possibility that a new virus could attack your system. You could bring in an outside expert to brief you on the latest threats, as well as to highlight any weaknesses in your systems and procedures.
The key factor in IT security isn’t how much money you spend, but how much thought you put into it. We have seen companies that have had a data breach, despite having spent huge sums on cyber security, because they were looking in the wrong direction. Like the French with the Maginot Line, these companies were convinced the threat would come from one direction and built their defences accordingly, only to be surprised by an unexpected attack.
The most important step you should take is to understand what information is most valuable to you – and therefore to a cyber thief. Once you’ve done that, your other decisions become much simpler.
Find out more about our cyber and data risks insurance