Everyday Cyber Threats
Transcript of a conversation with a Managing Partner over coffee…
After watching the news recently, I was developing a real fear of my electronic devices. The dulcet tones of the news presenter informing me that Alexa can talk to criminals and make my home less secure and about the threat lurking inside every email I open could be a fraudster ready to pounce. I don’t mind telling you I was almost ready to sell up and move to a deserted island, with no technology.
Having taken a deep breath and reading through the technical aspects of my cyber security, the fear has started to subside a little and I feel more reassured that my technology is doing all it can to protect me from cyber-crime.
However, could the same be said for my law firm? Were we doing everything possible to avoid potential attacks? The questions reverberated around my brain as I fixated on the potential dangers my firm are susceptible to.
Whilst our firm would like a full-time cyber security expert to work alongside and protect our company and client’s data, our business does not have the capacity or funds to afford this option. It is therefore imperative that we lawyers understand the cyber risks and remain vigilant of the constant threats.
This includes dangers around the passwords we choose. I’ve heard that Password Spraying has become a very real threat. Apparently, fraudsters use the most popular passwords, apply them to the representatives of the law firm in the hope that it will match. Once they achieve this, they could gain access to our data which could be incredibly sensitive, especially in a law firm.
Although I trust the people I work with inherently, we cannot overlook the possibility of the threats by insiders. The majority of people I have worked with have been trustworthy. When they left the firm, it was amicable. However, a disgruntled employee has the potential to steal sensitive data before they leave the firm and is something that we consider when making protocols and contracts for employees.
Despite the fact that this may not be considered a cyber breach, the threat of human error damaging the system is also very real – again we are looking to ensure protocols are in place to protect our data from corruption or deletion – using cloud-based technologies could help us here.
Suspicious emails can be dangerous for a range of reasons. Firstly, opening rogue links could corrupt our firm’s system with malware software. This could prevent our firm’s employees from accessing our essential data until a ransom is paid to the hackers. When we work with such time critical and valuable information, it is vital we are able to protect and access it whenever it is needed.
Hackers are now using a range of incredibly sophisticated ways of stealing data using phishing attacks. Cyber criminals use the free and legal available knowledge open to them in order to send instant messages and emails which appear to be sent from a trusted employee or client. The hacker could create email addresses that look identical to the originals. Their intention is to steal essential data that could leave our business vulnerable to attack. In the worst-case scenario, it could encourage staff to release funds from clients or from the business to the fraudsters.
How can we possibly protect ourselves from attacks Tom when they seem so subtle and sophisticated?
It seems to me the first thing a mid-tier law firm should be doing is establishing appropriate security measures. I am certain that the firm has invested in standard IT security solutions like encryption and Two Factor Authentication on our devices, so they can’t be accessed without the required authorisation.
We are also vigilant with the security of the physical space. When leaving our computers, we ensure that they are locked. Any information saved on USBs are stored and locked securely after use and updates.
However, we should also be looking at the myriad of technology that could help in protecting the firm and our clients further. Using search-based services like account and entity screen could prevent our firm from handing money to fraudsters; the small investment could protect against a huge theft and an awful situation for our Client, that’s also a PR nightmare I don’t want to have to deal with.
I was afforded an extra level of peace of mind when I signed off our security accreditation, proving that our firm’s information security practice and policies follow recognised best practice.
Ultimately, my firm will beat the threat of cyber attacks by creating a cyber aware culture. This starts with educating all of our staff. Ensuring everyone is aware of phishing threats, strange email requests, suspicious links and that careful password choices can eliminate many of the risks.
Like all things in this constantly advancing world, it will be difficult to protect our firm entirely. But as I take this quick break, talk to you, and think about our firm whilst sipping my coffee, I am confident that we have the appropriate protocols in place to avoid future cyber-attacks.
Tom Lyes, Lawyer Checker