8 Cybersecurity Tips For a Start-up Law Firm
Advanced digital technology and platforms are now readily available and used by firms of all sizes, including start-ups. However, with any business built using digital technology, the risk of cybercrime is huge and cannot be left for a future phase of development. All firms have legal, regulatory and client obligations to implement appropriate security measures.
A dangerous assumption that we sometimes hear is, “I am only a small firm, and I’m not a target, so it is an acceptable risk at this point”. This is not so. The majority of successful cyber attacks start as an indiscriminate campaign, looking for technology vulnerabilities and untrained people. Successful attacks happen to firms of all sizes.
We have found that start-ups have 3 common issues. Firstly, they rarely configure their technology and digital support services with security in mind, as the priority is usually ease of use. Secondly, there is no attempt to educate founders and early staff members on how to operate securely in a digital world. And finally, there are no policies or governance in place to document intent and manage risk. Here is some simple guidance based on our experience.
1. Laptop set-up
Getting this wrong is the most common failure which leads to a successful attack. You need a company laptop that has been set up by a cybersecurity professional. The configuration needs to cover encryption, firewall configuration, user privileges and automated updates.
2. Email security configuration
The most common attacks on law firms take advantage of poorly configured email platforms. It should be a priority to get the appropriate controls, filters and alerts set up to stop you from becoming a victim. This will normally require you to get the business version that incurs a small monthly fee.
3. Domain record settings
Three controls must be set to reduce the risk of criminals spoofing your email address or faking your website. The attack here is when clients’ emails get hacked, and the criminals stumble across a legal transaction. They can then pretend, very convincingly, to be you.
4. Authentication rules
Passwords and usernames get stolen all the time. There is a thriving market for these on the dark web. You need to start with a robust approach to passwords and deploy an additional factor of authentication on key platforms – fast becoming a minimum standard for insurance purposes.
5. Data transfer policy
Manage your data footprint. You need to do this to comply with the law on personal data as well as to minimize the opportunity for criminals. Write a policy that sets the rules. We find data on personal mobile phones, in personal drop-boxes, on household computers, etc.
Find some good cybersecurity training and make sure everyone does it annually. This is a minimum requirement.
7. Antivirus Software
Pay for a good antivirus package. Make sure it is on every device you operate from and that it is checked bi-annually.
8. Back-up and storage
You need to get this professionally set up. This is frequently done badly, which means that it wouldn’t survive a ransomware or malware attack, and you will lose everything!
Author: David Fleming – Mitigo Cybersecurity