Three key steps to make your firm more cybersecure

Cybersecurity is one of the most pressing issues facing businesses today. A recent survey by the American Bar Association found that one in four law firms has experienced a cyberattack (ABA 2021 Legal Technology Survey Report). No one is immune, so maximizing resilience is key to preventing a threat turning into a breach. But what does best practice look like? Having delved into some of today’s most common cyberdata threats in a separate post, here we examine the fundamental ways in which firms can best protect themselves against cyber threats.

1. Focus on security education

85% of security data breaches involve a “human element” according to U.S. telecommunications giant Verizon (Verizon 2021 Data Breach Investigations Report). They may have been facilitated by people unwittingly clicking on malicious links, opening infected attachments, visiting vulnerable websites, or falling victim to “phishing” scams where they are tricked into handing out information, providing access to secure systems, or making payments to criminals.

“The easiest vector for a cyber breach is the user,” says Mark Gendein, Principal Architect at Thomson Reuters. “They are much simpler to fool than an expert system.” Senior Cloud Solutions Architect at Microsoft® Jesse Mrasek agrees, “Most of the issues in cybersecurity come down to user education.”

Staff need to know what sort of cyberattacks are prevalent and emerging so they can be on the alert and recognize where they could expose the firm to vulnerabilities, for instance by connecting into public wi-fi networks or inserting USB sticks if they are not sure they are safe. They must accept the need for inconvenient safety checks like multi-factor authentication — where identity must be double checked with a unique code or via a specific app — and see why adding those extra few seconds into processes is so important.

They need to understand how significant the consequences of a data breach could be and be kept on their toes with practice drills, which simulate security breaches and test organizations’ responses. This should not be hard to do — one way is to run drills that are available for free with many Microsoft licenses.

2. Layer your security with robust processes

Cybersecurity is, or should be, a multi-faceted thing. Devices, workstations, laptops, cell phones, and tablets — whether used on premises or in a remote environment — need to be up to date with the latest security patches and have anti-malware software installed. Multi-factor authentication is a must to make it harder to hack into systems. “Privileged identity management” is another layer. Mrasek explains that this is where you “give people as few permissions as possible and only when they need them; then, if their credentials are compromised, the risk of criminals getting hold of anything important is minimized, even negated.”

Robust security management frameworks should be in place. For example, systems can be set up to specify that devices need to be updated to the latest software within a certain number of days, verify that anti-virus software is working, and that virtual private networks (VPN) are being deployed when remote working to make it harder for them to be hacked. If they aren’t, users will be automatically blocked from accessing documents, emails, and other important programs.

3. Invest in smart software technologies

Just as strengthening internal systems is important, it is also essential to ensure that external solutions are robust. It’s critical to use market-leading third-party vendors that layer up their own product security by building secure environments and then applying standards on top of standards to create fit-for-purpose solutions. For example, Thomson Reuters works with Microsoft to build on top of Microsoft Azure® — which is designed for general business cloud purposes — to create applications that are tailored for the specific needs of law firms and include privileged identity management as standard.

“This is an arms race,” says Gendein. “Attackers are using smarter and smarter technologies. Even for a medium-sized law firm you would have to analyze thousands — if not millions — of signals per hour to understand where threats are coming from. So, unless you are using smart tech tools too, you’re behind — you just can’t do it.”

When investigating potential third-party solutions, it’s important to ask the right questions of vendors. For example:

• Find out how identity is managed. Who is responsible for managing users — is it the firm or the vendor? Are responsibilities separated correctly, so people don’t have access to information or permissions they don’t need? Does the vendor support federated identity, where an employee can access multiple applications with a single user identity?
• Ask to see their audits. Reputable vendors should be independently audited. However, when talking to well-known, trusted brands, you should be able to take them at their word.
• Make sure they are using consistent practices across the board. Vendors should be straightforward when answering questions about encryption. For instance, they either encrypt everything, or they don’t. In Gendein’s opinion, “The technology may be complex, but the outcomes need to be simple.”

Following these basic steps can make a major difference to a firm’s understanding of — and preparedness for — cyber risk both on an individual and a corporate level. Communication and education must be combined with robust processes and smart technologies to create defenses that are truly impregnable to unknown and unseen attackers. Firms that take this three-pronged approach will be in the best position to head off threats that will doubtless be embarrassing, could be extremely costly, and may even prove existential if not prevented.