Law firms and small businesses will continue to be victims of cyber-attacks unless they radically change their approach to security. Below David Blundell, Managing Director at CyberHive, points out the risks and dangers for legal practices in today’s digital age.
Reports from the National Cyber Security Centre that £11 million of client money has been stolen from law firms in the last year and that 60% of legal practices have suffered cyber-attacks confirm that it is no longer a case of “if” but “when” a breach happens.
Although there is generally a high level of security awareness among law firms, IT resources are limited and often outsourced. With a vast array of compliance and system-management matters to deal with, cyber-security expertise can be in short-supply.
Whatever their IT set-up, law firms need to change their mindset to defend themselves against the growing sophistication of cyber-attacks. They must shift from defending themselves against predictable external attacks using outdated, anti-virus technology to adopting fail-safe solutions that identify more sophisticated attacks as rapidly and as accurately as possible. Instead of placing their faith in easily-breached perimeter defences they must acquire the capability to shut down an attack before any damage is inflicted.
It is the human element that leaves law firms vulnerable
Most cyber-attacks begin either through a security slip-up by an employee or as the result of some clever social engineering in a phishing email that looks convincing but is entirely malign. This is how hackers and organised crime groups insert malicious code inside the defences of even the most heavily protected organisation.
When thousands of emails are exchanged every day with clients, third-party business partners and prospective customers, it is almost inevitable that a member of staff will click on a macro or link that triggers the download of a new malware variant that AV cannot identify and which may go undetected for months.
While the malware is hiding in the system it will be siphoning off highly confidential data, stealing cash or waiting to use the firm’s servers as a backdoor into the systems of important clients.
Although email filters will eliminate most phishing attacks, many still get through. Filters are also largely ineffectual against spear-phishing that targets a specific individual with cunningly crafted emails, using data to create a personalised lure.
The vulnerabilities of legal IT
The majority of mid-sized law firms still rely on conventional on-premises data storage – using servers in their own offices. As business has evolved, however, it has become necessary to access data from anywhere, which can be a combination that increases vulnerability. When a firm hosts its own servers, it creates the need to update, patch and secure them, while at the same time they must of necessity be accessible from the internet by many of the firm’s employees.
Law firms also use third-party software for their customer management. Being hosted on their own servers, this may well open up further holes in security.
The alternative is to move entirely to cloud-based data-storage, enjoying all the enormous benefits of scalability, flexibility and lower overheads. Yet this is no trivial question for law firms, since security is a paramount consideration. A single breach can be sufficient to inflict catastrophic damage on a practice’s reputation. These understandable security fears are why law firms often ban staff from using cloud-based applications such as Dropbox.
Security among cloud-service providers is by no means certain, either. Security breaches can be instituted by malign cloud employees who place unauthorised software on a server or those who simply fail to follow protocols.
Failing legal approaches to security
Despite the worsening record of both current and next-generation AV, the legal sector still regards perimeter security as the best form of defence, with two-factor authentication and encrypted VPN access as standard. Yet even if access to data-handling inside the system is restricted, it will not provide any protection if the device being used to access the data is compromised.
Alternatives such as security based on network traffic analysis technology, which identifies suspicious patterns of data-use to enable rapid investigation, has proved to be difficult to implement and liable to excessive numbers of false positives. Law firms are left with the option of either lowering their alert thresholds and increasing their risk-exposure, or of operating with technology that could lock down access to systems at time-critical moments.
More effective solutions should now be adopted by the legal sector
To counter these attacks, law firms need to secure themselves from human error by deploying far more effective technology and better staff training. Staff-training will go some way to reducing the dangers of employees clicking open socially-engineered emails, exchanging details that are valuable to criminals, or of failing to follow system management protocols.
Yet this can only ever be a starting-point. To protect themselves, law firms now need to drop their adherence to out-dated perimeter defences and deploy more advanced solutions that will defend their servers from intrusion or lapses, whether in the cloud or on-premises.
These solutions are based on the power and integrity of chips on the motherboards of every server. They check the status of servers every five seconds, monitoring the security of servers using a combination of hardware-based cryptography and whitelisting technology. This protects servers from all unauthorised activity and malware in a way that conventional solutions are simply unable to match.
The chip is impervious to hacking and the solution guarantees that no person or organisation can tamper with servers, falsify verification data or bypass server security.
For law firms facing rapidly growing cyber-attacks, reliance on AV and perimeter security is no longer sufficient. The legal sector needs to protect itself from the devastating effects of security lapses by deploying such solutions that successfully defeat all the threats being devised by cyber criminals.