Blog
8 IT security mistakes law firms make
May 20th, 2015
The IT security landscape and the threats faced by law firms have changed little in the last 20 years. The nature of these threats, however, has changed drastically and many firms are yet to catch up.
While the old hackers typically hacked for fun, interest and challenge – the main driver for the modern hacker is now money. Particularly around extortion and blackmail. This trend has brought attacks to the gates of every single firm, no matter their size. Your information is valuable and when hackers gain access to it, they can deal huge damage to your brand or extort money. And for law firms where trust and respect of the client and protection of their highly sensitive information is paramount, you cannot afford a breach.
Legal firms may think they’re not at risk from an IT security breach, or believe they’re doing enough to protect their sensitive data, yet here are eight common mistakes I see firms making time and time again when it comes to IT security.
What are the IT security threats for law firms?
1. No two-factor authentication
Many firms are still only using passwords to access IT platforms, both within the office and whilst working remotely. Passwords are simply not secure on their own. The number of passwords every member of staff needs to remember this day and age is too vast, and the threat landscape is too big to solely rely on them.
The solution which many sectors have adopted already is two-factor authentication, for example, a password and a token. Many banks insist on this, and for a good reason.
2. No disaster recovery and continuity plans
A tried and tested business continuity plan is essential for any firm. However, many will not have one and those which do will not really test is regularly or earnestly enough. This is one of the biggest and most worrying lapses in security. Not having a plan to recover and operate after a significant event is negligent, verging on criminal. Try explaining to your insurance firm after a disaster why you can’t show them your recovery plans.
3. Device control
Most legal firms have mobile devices such as laptops, iPads, mobile phones and the like, but few are controlled by the firm. For example, some firms will allow employees to pick up work email on a personal device. This is completely negligent unless you have secure controls in place. It’s also concerning to see that a number of firms are still not encrypting every mobile device containing sensitive data. If you believe your information is not of use to a third-party, you are very wrong.
How would a partner explain to a key client that their sensitive information had been stolen or leaked to a third-party? What if that third party was the press, keen to highlight how legal firms like yours still aren’t taking client data security seriously? A breach like this could permanently damage or even end your business.
4. No asset list or risk register
Most firms haven’t really evaluated what their risks are. You simply cannot protect what you haven’t assessed. Firms need to evaluate every asset and service within their business, not simply IT hardware and systems. They should also be looking at their other assets, e.g. their brand, their people, etc.
Once these are identified, you must assess the risks associated with that asset and how it could impact the firm. With this information, the controls for those risks should be documented. You can’t be comfortable with the security of your firm if you haven’t been through this process.
5. No patch management
This is something that still doesn’t happen to the level that it should. Many firms still have no formal patch management strategy. I know that it’s painful for an IT department to do, but it is so important to get critical updates on machines as soon as possible. A significant percentage of hackers, viruses and Trojans use vulnerabilities in software to gain control over a device, so it needs to be done.
6. No staff training
The largest weakness of a firm’s security is its people. It’s imperative that people understand the risk they pose and how to be more aware of the threats. You’d be surprised how many firms I could breach within minutes by simply calling up, pretending to be a new member of the IT team and directing them to a web page to allow myself access. The risks around staff are huge and educating them is essential.
7. Device disposal
We are all aware of the risk of disposing of PCs, laptops and similar devices properly to ensure that no data is left on them. However legal firms scan and print large amounts of data and this also poses a risk. The information is sent to a printer’s internal disk before it is printed, be mindful that these disks will hold sensitive data, so ensure they are wiped or destroyed before you dispose of them.
8. Being lax
If you don’t take IT security seriously then you will suffer at some point. How badly you are affected is a game of chance. Do not think for a second that you are not at risk, or IT security can simply be seen as an IT department problem and leave your team to it. You need to take responsibility for IT security as you are most certainly accountable.
There are many more risks than this out there, but you need to shut the doors and windows before you start sealing the cracks.
Robert Rutherford, CEO of QuoStar
In the press: How breaches are paving the way from BYOD to CYOD policies
Cyber-security has returned to national front pages again this last year. Heartbleed & CyberVor are now common terms, whilst high profile breaches of the likes of major digital retailers eBay and Apple raise very big questions about security in the digital age. What does this mean for field service companies who not only hold vast amounts of […]
Threats and solutions to the end of Windows Server 2003 support
Generally, you haven’t moved away from Windows Server 2003 because a critical and extremely complex piece of internal software relies on it, or due to budget constraints. There are a few other reasons, but chances are that you are simply being negligent and putting your business at risk for the sake of saving a few […]
Are you using WhatsApp for business communications? 2021 is the year to stop
While WhatsApp is a consumer-grade application, many people are using it for business purposes. It’s free and it’s easy to use – most people are probably already using it – so it seems like the ideal communication tool, particularly now many employees are working remotely. But is WhatsApp really suitable for business communication? Privacy Policy Updates WhatsApp was acquired by Facebook […]