Recently, the Defending Law Firms from Cyber Attack Conference saw experts from the fields of government, law and cybersecurity present their views on the rising threats in cybersecurity and offer views on how law firms can effectively protect themselves from this rising threat.
Whilst speakers honed in on the specific vulnerabilities within law firms to the government’s view on privacy and legislation, there was one message in particular that was echoed by many of the speakers; people are an organisation’s greatest security asset and at the same time its biggest risk.
We live in an age where anybody can be targeted, it is not just about governments and large businesses anymore, cybercriminals are using more sophisticated techniques and now have the ability to traverse the information supply chain to find the weakest link and therefore find the easiest ‘way in’.
The very nature of the work carried out by legal firms dictates they house an abundance of critical information. From Intellectual Property with a patent lawyer, conveyancing on houses and commercial properties, to divorce settlements and business acquisitions, this information is not only critical but time sensitive. For the sake of productivity, firms move this information around as quickly as possible, as a result making it significantly less secure.
Typically law firms have a very flat structure; partners, senior personnel and junior team members all have access to the majority of the company’s information. The reason for this is simple; if there is a need to expand the team or for a specific task to be completed, then the information is readily available. However, the increasingly unpredictable world of online crime means the sharing culture of open information cannot be maintained. In order to secure their critical information, law firms will need to operate on a need-to-know basis with processes in place for on-board/off-board people to projects to maintain ease and efficiency.
Legal professionals at all levels within a firm need education and awareness training in order for them to understand the advanced cyber-threats and associated risks that exist. This needs to be supported with policies and processes on how to handle information securely and what to do in the event of an attack, or a suspected attack. Legal firms need to be aware of the information that is ‘critical’. Controlling the number of places it exists, such as whether it’s in a personal email account or the cloud, the means of access and who has access is paramount in keeping it safe. Building a culture where the employees work together will drive the risk posture down and “don’t shoot the messenger” needs to become a mantra.
The acid test for any prevention strategy comes back to four simple but key questions:
- What is the information you are trying to protect?
- Where is that information found?
- Who has access?
- How do people access the information?
Finally, in order to fully secure an organisation’s network there needs to be a layering of different technologies. Not only do these provide a solid means of defence but it can help enforce polices and keep the people and the company safe; protecting the most critical of assets – the information.