One of the latest examples of a law office horror story happened in May 2020 when New York-based firm Grubman Shire Meiselas & Sacks was hit with REvil ransomware causing loss of data access and stolen client records.
In their case, the incident was particularly well-publicized due to the law office having several celebrity clients that had confidential documents compromised in the data breach.
Phishing attacks have gone up significantly this year due to COVID-19 and they remain a major threat for any law firm. How well positioned is your firm against a data breach?
A good cybersecurity strategy includes multiple layers, like managed security services, mobile security, and more to ensure you’re properly protected from being the next breach horror story.
Cybersecurity Risks Lead to Significant Costs
The average cost of a data breach for a company is $3.9 million and firms can often feel the impacts for years after the initial incident.
Costs involved in a data breach include:
- Lost productivity
- Cost of IT forensics to identify data compromised
- Cost of recovery
- Loss of business due to reputation damage
- Breath notification costs
- Data privacy compliance penalties
With costs so high, it pays to invest in cybersecurity safeguards that can ensure your firm’s data and client files stay protected from cyberattacks.
Here are several important safeguards to deploy.
Authentication & User Access Controls
All that’s protecting sensitive data stored in cloud platforms is typically a username and password. That’s generally not enough to keep it protected from an account hack.
Law firms should look into multiple forms of user access control to protect data from being compromised in the case of a password hack.
These include things like:
- Multi-factor authentication
- Use of security questions
- Location and IP based access permissions
- Use of “least privilege,” giving users access only to what they need
Proactive Managed IT Security
Every device should of course have a good antivirus, but when you work with extremely sensitive data, having a proactive plan of attack is important.
For example, Connect2Geek uses a tool called Huntress, that doesn’t just wait for a malicious script to show itself, it continuously monitors your network and seeks out any potential threats to eliminate them before they can result in a security incident.
Endpoint Device Management Application
Employees access client data from multiple applications. This includes desktop computers, laptops, tablets, and smartphones. Each of those endpoints represents a certain amount of risk when it comes to your law firm’s data.
Using an endpoint device management app, like Microsoft Intune, can help you secure access to cloud apps, track which devices are accessing which data, and push important security updates to all endpoints.
Advanced Network Controls (Whitelisting/Ringfencing)
One way that hackers get past standard anti-malware programs is to not use malware at all but instead send commands to legitimate Windows programs, like PowerShell.
These types of attacks are particularly hard to prevent unless you have advance network controls like application whitelisting and ringfencing. Here is what each does:
- Application Whitelisting: Creates a list of approved programs that can execute on your devices. Any non-approved code or executable program is blocked.
- Ringfencing: Tells programs that are whitelisted what they are allowed to do or not do, which stops hacks caused by sending malicious commands to a legitimate program.
Patch and Update Management
Keeping all your software and hardware updated is one of the hallmarks of cybersecurity best practices.
You’d be surprised how many users click “later” when a software update pops up because they’re in the middle of something. Then a month or so goes by and that vital security update is left unapplied.
60% of data breaches in 2019 were the result of unapplied security updates.
The best way to ensure all users are keeping their operating system, software, and firmware updates applied in a timely manner is to have it done for them. Managed IT services include patch/update management, so you never have to worry about an unpatched vulnerability in your technology network.
User Cybersecurity Awareness Training
Too often, law firms and other offices focus entirely on the technology element of cybersecurity and forget the human one. Phishing attacks are the number one delivery method for malware and it’s because hackers are going after users that they can trick.
It’s important to keep cybersecurity front and center for your employees by conducting ongoing IT security training. This will allow you to cement in best practices as well as include timely information (such as all those new COVID-19 phishing attacks).
Cover topics such as:
- Phishing awareness
- New threats to watch out for
- How to handle a questionable email or text
- Secure data handling
- Password security
Cloud Application Security & Automated Security Policies
The more cloud applications a firm uses, the more risk there is that the data in one could be compromised.
Using automated security policies that can be standardized across all your cloud applications can help ensure protection no matter which app your team is using.
You can do this through an application like Microsoft Cloud App Security, which is designed to give you more security control over multiple 3rd party apps.
Ensure Your Law Office Has the Data Safeguards It Needs
Connect2Geek has security experts on staff that work with law offices to ensure they’re protected from a breach, while also facilitating productive workflows.
Schedule a free security consultation today! Call 208-468-4323 or reach out online.