Making it easier to grow your law firm


This section covers succession, specialisation, mergers, selling a law firm, becoming a partner, and business structure

How to plan and execute the process of starting up a new legal practice that is compliant and financially healthy

How to set up your firm’s systems to provide the information that enables you to improve profitability and cashflow

How to avoid professional negligence claims, with examples of common problems and suggested solutions. Plus FAQs on PII

This section only covers SRA Accounts Rules and GDPR at the moment. Compliance for start-ups is covered in the Starting up...

How to protect your law firm from cyber attacks. What steps to take if your systems are hacked

How to recruit and retain a team that is both happy and highly effective, dealing with the HR issues along the way

In marketing, like anything, you need to get the basics right. Otherwise the time and money you invest in marketing will be wasted

How to win new clients, make the most of existing relationships, encourage referrals and generate new leads

How to approach creating a law firm website that works, from agreeing your objectives to making sure you get the results you want

Why lawyers need to know about social media, how to make the most of the opportunities and how to avoid potential pitfalls

How to use PR to build your firm’s reputation; and how to create cost-effective advertising – traditional and online – that delivers results

Multifactor Authentication is a critical layer of cyber security

Chris McMurray talking
Chris McMurray, cyber lead at Travelers Europe, explains why multifactor authentication is a vital tool for protecting law firms from cyber attacks. (28 July 2022)

The numbers are difficult to ignore - multifactor authentication (MFA) typically blocks more than 99% of attacks by cyber criminals attempting to compromise a company’s systems. Traditional passwords on their own aren’t secure enough anymore; hackers have developed countless methods of stealing credentials and gaining unauthorised access to private accounts.

According to the Department for Digital, Culture, Media and Sport’s Cyber security breaches survey 2022, published in March this year, nearly one-third of businesses in the UK experience cyber attacks or breaches at least once a week. MFA, therefore, is being put to the test – successfully – with increasing regularity.

We have seen a distinct trend in insurance claims. As the industry saw a spike in claim activity towards the end of 2020, a clear correlation emerged between claims and insured businesses lacking MFA. In other words, these claims can be minimised or even prevented through MFA implementation. In fact, cybercriminals often differentiate between businesses on the basis of whether or not they have MFA.

MFA is a solid control that a business can put in place without a great deal of time or expense. There are three main types of MFA:

  • Things you know (knowledge) – such as a password, or pin.
  • Things you have (possession) – such as a key, or smart card, or smartphone app.
  • Things you are (biometric) – such as the use of a fingerprint, or a retina scan, or voice recognition.

A straightforward solution

A fraudster who comes up against a multifactor check may be able to circumvent it, but it takes work. If the next company on their list isn’t using MFA, it’s that much easier for them to deceive an employee with a phishing email and breach the company’s systems.

Easy targets remain plentiful right now, so until everyone adopts MFA and criminals find another way into a company’s systems, MFA remains a strong layer of protection.

For this reason, we have begun asking more technical questions about MFA when businesses renew their cyber insurance or buy it for the first time.

Instead of asking simply if a company has MFA, we’re asking if they have it for email, or for administrative accounts, and if employees with elevated access privileges use it for internal access. When law firms and their brokers read our questionnaire and see the level of specificity we request, they may think implementing MFA will be a lengthy and costly process. But it’s a relatively straightforward fix and the firms that we insure have the benefit of a free consultation with our cyber security partner, which helps them develop an implementation plan.

Final layer of protection

Of course, while MFA is important, it isn’t the only cyber protection required. To put it in simple terms, just because you have locks on your home doesn’t mean you can’t be broken into.

A law firm should have multiple layers of security, including an email filtering system that catches as many malicious emails as possible, a training programme to help employees recognise phishing emails, and a software defence that includes firewalls and an advanced endpoint detection and response system to monitor cyber threats. MFA provides the final layer of protection.

Within the last six months, most insurers have begun requiring potential policyholders to have some level of MFA to provide a cyber insurance quote.

As MFA requirements become more stringent, law firms can present themselves to insurers as more attractive risks by taking proactive steps to improve their cyber protections prior to renewal. And, in the process, they can reduce the chances of falling victim to a cyber attack.

While MFA is not a silver bullet, it’s a critical piece of a multilayered plan to make a law firm’s security that much stronger.


This blog is based on the article 'Helping clients adopt MFA as a critical layer of cyber security Travelers' on the Insurance Times website.


See also: