Cybersecurity Awareness Month
October is Cybersecurity Awareness Month. With cybercrime on the rise and more people finding themselves victims of cyberattacks, it is important to be aware of what it means to be cyber secure and best practices to keep you and your clients’ information safe.
Cyberattacks can have major implications on lawyers, both financially and reputationally:
- In 2021, the average cost of a data breach reached $4.24 million USD, according to IBM’s annual Cost of a Data Breach Report.
- About 43 per cent of cyberattacks are aimed at small businesses.
- Cybercrime resulted in a total loss of about $6 trillion worldwide in 2021.
- One cyberattack happens every 11 seconds.
Cyber Risks to Law Firms
Law firms can be a target for hackers because of the large amounts of personal client information they hold in their systems. Specific types of cyber risks that law firms could be susceptible to include:
- Data breaches: This risk involves the theft of personal or sensitive data from law firms and can be perpetrated for a variety of reasons, including financial gain or retaliatory purposes. Cyber criminals will typically execute these attacks by accessing the law firm’s computer from a remote location, collecting the personal or sensitive data and distributing it to third parties.
- Ransomware: Ransomware is a type of malicious software that attackers use to lock a victim’s files. The attacker then demands a ransom be paid to restore access to the files. If the ransom isn’t paid, cyber attackers often threaten to publish the sensitive information.
- Phishing: Involves sending a message to individuals in the hopes of getting them to send back confidential or personal information, including usernames, passwords or client details.
- Website attacks: Lawyers visit multiple legitimate websites in a day as a part of their daily responsibilities. Criminals and hackers exploit this by infecting the computers of individuals who visit less secure websites.
- Bring you own device (BYOD)/ Remote devices: Employees/staff using personal devices to access confidential client data/accounting software/online banking pose a risk since these devices generally do not carry the same level of security that organizational devices maintain.
Why you Need Cybersecurity
Cybersecurity refers to the technologies, processes and practices designed to protect an organization’s information assets — computers, networks, programs and data — from unauthorized access. Cybersecurity prevents and detects fraudsters attempts to steal personal information (including online account and banking information) for financial gain.
While cybersecurity measures can require time and money to implement properly, the investment is well worth the cost. Protecting client assets, data and information is critical and your law firm’s reputation depends on this discretion. It is also a professional and ethical obligation to protect sensitive client information, so reasonable steps must be taken to secure anything that could be considered confidential.
From a business standpoint, investing in cybersecurity could save you millions in the long run by avoiding potential fines, lawsuits and losses from cyberattacks. By limiting your cyber risk, you improve your business continuity and maintain system and staff productivity.
Mitigate Your Cyber Risk
There are several measures you can put in place to mitigate cyber risk and protect sensitive client information. Consider implementing the following best practices in your law practice to strengthen your cybersecurity:
- Use strong passwords (12 or more letters, numbers and symbols is recommended).
- Use anti-virus software and ensure it is updated regularly.
- Manage staff member access to online banking and accounting software. Ensure staff have no more permission/access than necessary to perform their roles in those applications (in other words, use the principle of least privilege).
- Confirm ex-employee access rights to the firm’s databases are disabled immediately upon exit.
- Contract IT experts to manage database, network and system security.
- Invest in a firewall system that prevents intrusion into your network and notifies you when an intrusion has occurred.
- Verify that an IT team or qualified staff member performs annual testing of the system to ensure internal controls are in place to prevent/detect/correct cyberattacks.
- Implement multifactor authentication for all your tools.
- Educate and train staff members on ways to protect client information, banking system security and accounting software access.
- Don’t share passwords, credit card numbers or other sensitive items via email. Use password protection tools to secure passwords.
Develop a Business Continuity Plan
The goal of a Business Continuity Plan (BCP) is to enable an organization to restore critical business processes after a disaster or incident has occurred. It is a risk management technique designed to create business continuity capabilities to match likely risks based on business value.
Steps involved in building a BCP include:
- Identifying assets, resources and systems that are key to organization daily operations and ensuring there are internal controls/plans in place to safeguard those assets.
- Determining how soon any critical systems can be recovered if they are affected by a disaster/IT attack.
- Verifying that there is a disaster recovery plan for IT systems such as regaining access to data (i.e., hard drives and accounting software) and communication systems (i.e., email and phones).
- Training staff members on their role in recovering communication devices, network systems and other resources in the event of an emergency.
- Backing up data and ensuring the back up data storage is located away from the primary storage.
For more information on cybersecurity and what you can do to safeguard your firm, refer to the following resources:
- October is Cyber Security Awareness Month in Canada
- Cybercrime Risks and Cybersecurity Policies for Law Office Data (natlawreview.com)
- 26 Cyber Security Statistics, Facts & Trends in 2022 (cloudwards.net)
- Cybersecurity for Law Firms: What Legal Professionals Should Know – Law Technology Today
- 23 Terrifying Cyber Attack Statistics to Know in 2022 | Icoinical
- Government of Canada – Getcybersafe.ca