James Doswell is a cyber risk consultant who works alongside some 20 lawyers across the Travelers claim, risk and underwriting teams. He helps law firms to identify and avoid professional indemnity insurance risks from cyber attack.
Here, he suggests a practical ten-step plan to help smaller law firms to be less vulnerable to attacks. (26 January 2023)
(Note: James and others were interviewed on this topic in the webinar Risk protection including cyber security on 9 February 2023.)
We all know that cyber attack is a serious risk for the legal sector. But what law firms want to know is the practical steps they can take to minimise that risk, especially if the law firm lacks expertise in this area. So here are some simple steps to take.
1. List your equipment
Just as a chain is as good as its weakest link, a single item of unprotected equipment can be your cyber point-of-weakness. Perhaps you are still using an old phone system, or there is an old laptop that occasionally gets plugged in to the network.
- Keep an inventory of 100% of your firm’s IT equipment.
- List the model, serial number, the first user (and ideally any subsequent user) of the item, the date purchased, the scheduled date of disposal, the actual date of disposal, and the method of disposal.
- Diarise to review the register once a quarter, to check for any items that may have been overlooked (while you can all still remember).
- Avoid a ‘shadow IT culture’ developing in the firm. Staff sometimes avoid the hassle of following security procedures (eg log-ons) by using their own equipment or by otherwise finding ways to short-cut the safety systems.
There are specialist software packages to track IT assets, such as Zendesk. And some software packages include an ‘asset register’ as one of the modules. But otherwise, a spreadsheet is a perfectly good way to track this information.
2. Then back it up
Imagine that you are successfully hacked tomorrow. You are locked out of your entire system and have been asked to pay a ransom before you can hopefully receive a de-encryption key to unlock it all. Do you have it all backed up, so you can quickly rebuild the system and its data? When did you last test it? Without back-ups that work, a law firm today simply cannot function in this scenario of a successful cyber attack (or some other catastrophic failure of the system).
- Do not simply rely on your IT team or support company (‘managed services provider’) to complete this ongoing task, even if you have given them responsibility for it.
- Instead, regularly ask those responsible to restore five random files from different locations or systems that you have chosen. “What gets measured, gets done”, as the adage goes.
- If media such as video is important, be sure to include these file types as they sometimes get removed because of their large size.
- Ensure that at least one of your backups is ‘immutable’, ie securely stored offline or not changeable, as attackers often look to damage or destroy backups.
3. Use multi-factor authentication
We are all used to ‘MFA’ now. For example, when you log on to a bank website and cannot access your account online until you have also entered the one-off code that was texted or emailed to you.
- Insurers now expect law firms to have this basic level of cyber protection.
- MFA can guard against attackers getting access to your network (‘VPN’, meaning Virtual Private Network).
- MFA can also help block attackers from switching between accounts on the network and doing further harm.
- There are free versions of MFA software, but these might typically be limited to up-to-ten users.
- MFA provides ‘non-repudiation’ of users. If any security incidents do occur, it is difficult for users to dispute the system and security logs that track each user’s activity.
4. Separate your ‘admin’ and ‘user’ access
If you assume that sooner or later a cyber attacker is going to successfully take over the laptop of one of your staff, it makes sense to limit the damage that the attacker can then do.
- Give users access to the software and the files/directories that they need to use, but not to anything else.
- Only allow trusted IT experts to have ‘admin’ rights, which allows them to upload/update/remove software and so on.
5. Disable the ‘default’ admin account
It is not uncommon for default local administrator accounts to simply get renamed. If you create a brand new account with administrative privileges in this way, always disable to original.
- The default admin account has a well known security identifier associated with it, which doesn’t change even if the account is renamed. Attackers and malware will often target the administrator account programmatically by using this identifier.
- Maintain strict control over who has admin rights and delete any unused admin accounts.
"Cyber attacks are indiscriminate. Any business that connects to the internet is vulnerable. Once an 'open door' is uncovered, hackers have many options for exploiting a law firm."
Chris Hannett, director, Cymplify
6. Restrict ‘BYOD’ devices wherever possible
BYOD stands for Bring Your Own Device and simply means that someone uses their own laptop, phone or other equipment to do work.
- BYOD represents a cost saving, but at the potential expense of security and is not recommended.
- It is illegal to monitor any person’s personal device, even if it has been agreed that the device is being used to do your firm’s work. You must be the owner of the equipment being monitored.
- You have little or no recourse over Intellectual Property on their personal device, other than to take legal action against them if they don’t wish to give you access or to remove it.
- You have no way to guarantee that someone’s personal device is free from malware.
- If all of your software is hosted ‘in the cloud’ (ie in some far-off server farm that has massive cyber protection because it operates on a ‘zero trust’ basis), BYOD is less of a problem. But it still has the potential for GDPR breaches if equipment is attacked and data is stolen.
7. Use encryption
Encryption can protect your website, your equipment and your data.
- If your firm’s website URL starts with https: (as opposed to http:), it means that the connection to the site is secure. The web traffic going between the client web browsers and the web server is encrypted, so as long as the server and connecting device haven’t been compromised no one should be able to eavesdrop on the messages and data being transferred.
- A feature of Windows such as BitLocker Full Disk Encryption can encrypt all of the user files and system files on a computer’s hard drive. Even if the device is lost or stolen, the data cannot be accessed by a third-party.
- Once disk encryption software is enabled, encryption of the data is maintained regardless of the equipment itself being switched on and off.
- Only someone with the correct username and password (etc) can access it, but ensure you use MFA or a long complex password that won’t be guessed.
- The theft of an encrypted laptop does not need to be reported to ICO (The Information Commissioner’s Office) or to the SRA, provided that you have evidence of the encryption. A simple screenshot of the encryption being turned on, pasted into a dated email, should be sufficient evidence. Once encrypted, even the most sensitive personal or financial information is safe provided a good password and/or ideally MFA are used.
8. Have a real, practised disaster recovery plan
If your disaster recovery plan is a ‘box tick’ plan downloaded from the web and then filed away somewhere, it will be of little help in a real emergency.
- By all means use a standard template as your starting point, but then customise it for your firm.
- It should make clear who has responsibility for doing what, in what order.
- For example, who contacts who, using what means of communication? Is there a cascading ‘phone-tree’ plan? Are all the phone numbers written down?
- Who decides when/whether/how to tell clients?
- Stick to the plan. Avoid individuals from senior management trying to take over in a making-it-up-as-they-go-along way, by having the plan agreed and supported by senior management in the first place.
- The best way to test a plan is to do just that. Test your disaster recovery plan, by simulating a scenario. So you might simulate a stolen laptop to start with, then simulate a CRM disaster six months later, then a main server disaster, and then a supplier that has been hacked.
9. Always update software with the ‘patches’ provided
Just as software providers regularly update their software to improve it, they also send out a stream of patches to correct any faults and to protect against the latest threats of cyber attack. In the case of smaller firms, much of this happens automatically; for example, when you switch on your computer and Microsoft 365 opens, it downloads any updates (unless it has been set up not to).
- Some firms might choose to schedule updates and patches during quiet times.
- If for some reason you are wary about updating or patching an item of software, it is sometimes better to wait until you can see that other organisations have gone ahead and have not had any problems. On the other hand, waiting too long may leave you vulnerable to the cyber attack that a patch is intended to defend against.
10. Train your staff
This is another area where some firms operate on a ‘box tick’ basis, sitting people down once a year to hear someone speak about the dangers of ‘bad links’ and so on. A week later, it is all forgotten.
- Rather than just discussing cyber risks, test out whether staff follow your policies.
- A good start is to occasionally send your team a fake phishing email, to see who opens it.
- Start by sending emails with the most obvious signs of a fake: messages in poorly worded English, and URLs that do not match the supposed sender (eg a message from HSBC or DHL, with an email address such as [name/word]@gmail.com that anyone could create).
- Then send emails with tell-tale signs of danger: urgency, communicating a change of bank account details, or asking for money to be sent.
- With proper training, your team will be suspicious of any email that is unexpected, which is a good starting point. Hovering over links without clicking — to reveal where they lead — is another simple technique that staff can use.
- There are suppliers that specialise in security audits, including phishing simulation.
EPP software (‘Endpoint Protection Platform’) is one of the best technical solutions available to prevent malware from entering your system. Some of the best can block malicious files from writing to the computer even if it is unpatched, but that is a topic for another day.
Why do law firms choose Travelers?
It’s because Travelers has unmatched expertise and longevity in the legal sector, with a dedicated team of experts in underwriting, claims and risk management.