Getting Cybersecurity Right for Your Firm
As handlers of especially sensitive client data, law firms are particularly at risk of cyberattacks and costly data breaches.
We live in challenging times. Quite apart from the widespread disruption that COVID has wrought on all of our lives, you could be forgiven for thinking that we were in the middle of some kind of ‘cyber war’. Not a day seems to go by without another headline telling us about the latest cyberattack, data theft or ransomware scenario. And for reasons that we will cover here, the pandemic has actually brought cybersecurity very much to the fore due to the technology demands placed by a largely remote and network-challenged workforce.
The legal profession is no different in this respect. Imagine having to tell all of your clients that cybercriminals were now in receipt of all of their data. Law firms handle significant volumes of confidential and sensitive information and client funds as part of their daily work. Like many other sectors, the legal profession is delivering and transacting in an increasingly online fashion – indeed, there is a drive to become paperless. Firms need to be especially attentive towards the threat of any cyberattack, taking into account the massive amount of sensitive and important client data held in their information systems.
This is not a pie-in-the-sky scenario. Just recently we heard that the law firm acting for companies such as Ford, Boeing, Exxon, Marriott, Walgreen and others was hacked in an apparent ransomware attack. In this attack it is feared that social security numbers, passport numbers, payment card information, medical information and biometric data were all stolen by cybercriminals. Here in the UK, the London Stock Exchange recently revealed a filing by a UK-listed law firm which had suffered a cyberattack. Once again, sensitive client information was compromised.
Imagine having to tell all of your clients that cybercriminals were now in receipt of all of their data.
The Remote and Mobile Challenge
We touched on the additional challenges that COVID has presented from a technological point of view. The UK has seen massive growth in both remote working and working on the move due to the pandemic, and the legal sector is very much included here. As we witness mobile and smart device usage continuing to grow, it brings about a corresponding rise in mobile security threats. Indeed, some reports even suggest that mobile devices could now account for more than 60% of digital fraud. As firms see a significant increase in people using their mobile devices for both work and personal use, they will need to face up to an entirely new set of challenges. This updated landscape requires a contemporary way of thinking (and new solutions) in order for legal firms to defend themselves against cybercriminals.
Don’t Trust Anyone
With people increasingly working under a ‘hybrid’ model (a mix of working from home, the office and on the road), we look to technology to afford us the flexibility and ability to work anywhere. With most workers no longer effectively tethered to a desk, firms require security platforms that support the new normal with solutions that provide remote workers with security whilst actively improving the employee experience. Firms need to ensure that employees are able to work on any device, which makes tools like multi-factor authentication and a zero-trust approach to security absolutely crucial.
Organisations everywhere are adopting a ‘zero-trust’ approach which places greater importance on identifying the real-time health of a user’s device and the ability to provide conditional access to corporate data as a result. Zero-trust security is all about eliminating implicit trust. Effectively, it is an interrogation of trust within networks or the trust between host and applications. Zero-trust implies that the best way to secure a network is to assume no level of trust whatsoever. Employing a zero-trust model supposes that no single person is able to solely execute any sort of change to the system that could affect the security of the system.
One way to make this happen is to effectively replace human vulnerabilities with automation. In all things ‘security’, humans are invariably the weakest point in any chain. Firms can mollify human error by adopting single sign-on solutions and strengthening security controls that oversee how and where employees get access to specific data.
Cloud Access Security Brokers (CASB)
A CASB solution can optimise visibility across an organisation by monitoring all user activity within cloud applications (company-approved and shadow apps) and enforcing both internal policies and external compliance requirements. A CASB solution should additionally be adopted as part of a wider SIM/SIEM solution for the ultimate in forward-looking, secure data collection, monitoring, and consolidation. Many CASB solutions are designed with compliance in mind. They provide granular visibility and control over user interaction with cloud applications and broad audit trails of such user activity. They tend to operate as a system that is partly a filter, proxy and firewall between the users and cloud systems, and have capabilities to detect unsanctioned cloud applications, as well as sensitive data in transit.
In all things ‘security’, humans are invariably the weakest point in any chain.
Organisations can use CASBs to address specific use cases with their cloud providers and are perfect for centralised control, management and ease of use. With so much going on in the cloud as businesses strive to provide increased levels of remote access, there is the potential for data leakage in the cloud. Using a CASB gives organisations the power to maintain visibility over data that has gone beyond the reach of on-premises tools. Detailed logs on all cloud transactions (logins, uploads, or downloads) are always recorded and app-specific behaviours are also logged, helping organisations know the whereabouts of data if it is shared.
The National Cyber Security Centre (NCSC)
The NCSC essentially sets out to help make the UK a safe place to live and work online. Amongst other things, they provide schemes that can help your firm strengthen cybersecurity. For example, Cyber Essentials is a simple but effective Government-backed scheme that will help you to protect your firm against a whole range of the most common cyberattacks. It can help you to guard against the most common cyber threats and demonstrate your commitment to cybersecurity. It can also reassure your clients that you are working to secure your IT against cyberattacks, and can even help to attract new clients with the promise you have cyber security measures in place. Cyber Essentials Plus adopts the Cyber Essentials trademark simplicity of approach but includes a hands-on technical verification. However, it is worrying to read research by Law.com that found that 40% of the leading 50 UK law firms still do not have the highest level of cybersecurity accreditation offered by Cyber Essentials Plus.
Cybersecurity has never been so important – whatever industry you work in. The pandemic has provided firms with technology challenges while also giving cybercriminals an increased surface area for attacks. With COVID continuing to have an impact on remote working and working on the move, it is critical that your firm enjoys maximum protection against the development of any new cyber threats. Law firms are increasingly reliant on IT and technology which can leave them vulnerable to a whole host of malevolent cyber activity. If a firm loses access to their technology, has funds stolen or suffers any kind of data breach through a cyberattack, it can be devastating – financially and reputationally.
Steve Whiter, Director
Address: Appurity Limited, Farnham, United Kingdom, GU10 5DT
Tel: +44 (0)330 660 0277
Appurity is a UK-based company that offers mobile, cloud, data and cybersecurity solutions and applications to businesses. Its staff draw upon a wealth of in-depth knowledge in industry-leading technologies to aid their clients in developing secure and efficient mobile strategies.
Steve Whiter has been in the industry for 30 years and has extensive knowledge of secure mobile solutions. For over 10 years, Steve has worked with the team at Appurity to provide customers with secure mobile solutions and apps that enhance productivity but also meet regulations such as ISO and Cyber Essentials Plus. Working closely with its technology partners that include Lookout, NetMotion, Google, Apple, Samsung, BlackBerry and MobileIron/Ivanti, Appurity is delivering mobile initiatives to customers across multiple verticals such as legal, financial, retail and public sector.