8 Cybersecurity Tips For a Start-up Law Firm

A padlock lying next to a laptop

8 Cybersecurity Tips For a Start-up Law Firm

Advanced digital technology and platforms are now readily available and used by firms of all sizes, including start-ups. However, with any business built using digital technology, the risk of cybercrime is huge and cannot be left for a future phase of development. All firms have legal, regulatory and client obligations to implement appropriate security measures.

A dangerous assumption that we sometimes hear is, “I am only a small firm, and I’m not a target, so it is an acceptable risk at this point”. This is not so. The majority of successful cyber attacks start as an indiscriminate campaign, looking for technology vulnerabilities and untrained people. Successful attacks happen to firms of all sizes.

We have found that start-ups have 3 common issues. Firstly, they rarely configure their technology and digital support services with security in mind, as the priority is usually ease of use. Secondly, there is no attempt to educate founders and early staff members on how to operate securely in a digital world. And finally, there are no policies or governance in place to document intent and manage risk. Here is some simple guidance based on our experience.

1. Laptop set-up

Getting this wrong is the most common failure which leads to a successful attack. You need a company laptop that has been set up by a cybersecurity professional. The configuration needs to cover encryption, firewall configuration, user privileges and automated updates.

2. Email security configuration

The most common attacks on law firms take advantage of poorly configured email platforms. It should be a priority to get the appropriate controls, filters and alerts set up to stop you from becoming a victim. This will normally require you to get the business version that incurs a small monthly fee.

3. Domain record settings

Three controls must be set to reduce the risk of criminals spoofing your email address or faking your website. The attack here is when clients’ emails get hacked, and the criminals stumble across a legal transaction. They can then pretend, very convincingly, to be you.

4. Authentication rules

Passwords and usernames get stolen all the time. There is a thriving market for these on the dark web. You need to start with a robust approach to passwords and deploy an additional factor of authentication on key platforms – fast becoming a minimum standard for insurance purposes.

5. Data transfer policy

Manage your data footprint. You need to do this to comply with the law on personal data as well as to minimize the opportunity for criminals. Write a policy that sets the rules. We find data on personal mobile phones, in personal drop-boxes, on household computers, etc.

6. Culture

Find some good cybersecurity training and make sure everyone does it annually. This is a minimum requirement.

7. Antivirus Software

Pay for a good antivirus package. Make sure it is on every device you operate from and that it is checked bi-annually.

8. Back-up and storage

You need to get this professionally set up. This is frequently done badly, which means that it wouldn’t survive a ransomware or malware attack, and you will lose everything!


Author: David Fleming – Mitigo Cybersecurity

All businesses today are built around 3 things: technology, people and process. Cyberattacks in some way threaten all of these. However, people tend to focus on the technology aspect of the attack rather than the cause. Not Mitigo. Working in this industry taught us straight away that cybersecurity isn’t simply a ‘technology’ problem. It’s much broader than that and will always involve your technology, people and processes. Better and better technology isn’t a solution, it’s just better technology; because if no one’s using the technology properly, how can it ever be secure.

Get in Touch with Mitigo Security

For help with you or your firms’ needs,
please get in touch by filling in the form below.

Request a Callback