Small to midsize law firms have been increasingly targeted for cyberattacks. Cybercriminals know that smaller companies are less likely than their larger counterparts to have sophisticated security protocols in place, and that law firm data is particularly valuable. The confidential nature of attorney-client relationships gives lawyers added motivation to pay a ransom to recover their sensitive data, which is not lost on bad actors. In fact, 24.9% of all ransomware attacks in 1Q 2021 targeted professional services firms, especially small and midsize law firms, according to Coveware.
But despite the growing risk of cyberattacks, law firms continue to make critical mistakes that leave their systems vulnerable to breaches. Below are 5 common cybersecurity mistakes law firms make.
Using Outdated Systems and Software
The focus of a law firm is to provide legal counsel to its clients. As IT is not a law firm’s main focus, many law firms lack a full understanding of their system’s architecture. They may run old, unsupported operating systems and/or fail to update their software as needed. These failures leave the door open for cybercriminals to breach the network. A law firm’s IT partner must have a full understanding of how extensive the network is, how it is segmented, and where data is stored. Furthermore, protocols must be put in place to ensure timely updates of software as needed.
Relying Too Heavily on Anti-virus Software
Updated anti-virus software is an important tool in the fight against cyberattacks, but it will not stop every threat. Round-the-clock monitoring systems (AKA “eyes on glass”), which search for aberrant behavior across a firm’s operations, can pinpoint unusual activity that may indicate an attack has occurred or is in progress. A monitoring system should be accompanied by a breach response plan to rapidly address any suspected or confirmed security breaches that may arise.
Neglecting the Basics
The use of strong passwords, multi-factor authentication (MFA), limited access, and encrypted data transport methods can go a long way in preventing attacks. But many companies continue to neglect these first-line security defenses. It is important to institute a password policy that requires strong, complex passwords and automatically prompts users to update their password frequently. In this day and age, every company should have MFA, which requires all users to enter a code or another form of authentication in addition to a password when accessing any of the firm’s systems. Individual users’ access should be limited to those systems and/or data that they need to perform their jobs. And end-to-end encryption should be used whenever data is transported from one system to another, such as when an attorney emails sensitive documents to a client.
Failing to Train Staff Properly
Cybersecurity is not exclusively IT’s responsibility. It requires a holistic approach and involvement from every member of the firm. Too many law firms neglect to sufficiently train their attorneys and staff members about things they can do to avoid security breaches. Every member of the firm needs periodic education about cybersecurity trends and threats that may put the firm at risk. The entire team should also be given regular reminders about the dangers of engaging in unsafe practices, from clicking on links from unknown sources to using unsecured websites, and what steps to take to immediately respond to potential cyber threats or breaches.
Handling Cybersecurity on Their Own
Many law firms do not have the in-house resources or expertise to fully appreciate what is needed to safeguard their entire network from potential breaches. Because of this and/or a desire to limit expenses, many firms opt to manage their cybersecurity on their own. However, in today’s rapidly evolving threat environment, law firms could significantly enhance their protection by partnering with a competent IT partner that has the specialized expertise and resources to develop a thorough security policy, implement and manage adherence to the policy, provide maintenance and updates, staff training, and monitoring services. Given the ubiquity of cybersecurity breaches – 42% of small and midsize businesses experienced an attack over the last 12 months, according to a 2021 study by AdvisorSmith – and the potential cost involved – a cybersecurity data breach costs small and midsize businesses $108,000 on average, according to Kapersky – it’s prudent for law firms to leave cybersecurity in the hands of a team of dedicated, knowledgeable professionals.
Tabush Group is a leading provider of Desktop as a Service and managed IT services for small and midsize professional service providers. For more information about our comprehensive services, click here.