8 IT security mistakes law firms make

The IT security landscape and the threats faced by law firms have changed little in the last 20 years. The nature of these threats, however, has changed drastically and many firms are yet to catch up.

While the old hackers typically hacked for fun, interest and challenge – the main driver for the modern hacker is now money. Particularly around extortion and blackmail. This trend has brought attacks to the gates of every single firm, no matter their size. Your information is valuable and when hackers gain access to it, they can deal huge damage to your brand or extort money. And for law firms where trust and respect of the client and protection of their highly sensitive information is paramount, you cannot afford a breach.

Legal firms may think they’re not at risk from an IT security breach, or believe they’re doing enough to protect their sensitive data, yet here are eight common mistakes I see firms making time and time again when it comes to IT security.

What are the IT security threats for law firms?

1. No two-factor authentication

Many firms are still only using passwords to access IT platforms, both within the office and whilst working remotely. Passwords are simply not secure on their own. The number of passwords every member of staff needs to remember this day and age is too vast, and the threat landscape is too big to solely rely on them.

The solution which many sectors have adopted already is two-factor authentication, for example, a password and a token. Many banks insist on this, and for a good reason.

2. No disaster recovery and continuity plans

A tried and tested business continuity plan is essential for any firm. However, many will not have one and those which do will not really test is regularly or earnestly enough. This is one of the biggest and most worrying lapses in security. Not having a plan to recover and operate after a significant event is negligent, verging on criminal. Try explaining to your insurance firm after a disaster why you can’t show them your recovery plans.

3. Device control

Most legal firms have mobile devices such as laptops, iPads, mobile phones and the like, but few are controlled by the firm. For example, some firms will allow employees to pick up work email on a personal device. This is completely negligent unless you have secure controls in place. It’s also concerning to see that a number of firms are still not encrypting every mobile device containing sensitive data. If you believe your information is not of use to a third-party, you are very wrong.

How would a partner explain to a key client that their sensitive information had been stolen or leaked to a third-party? What if that third party was the press, keen to highlight how legal firms like yours still aren’t taking client data security seriously? A breach like this could permanently damage or even end your business.

4. No asset list or risk register

Most firms haven’t really evaluated what their risks are. You simply cannot protect what you haven’t assessed. Firms need to evaluate every asset and service within their business, not simply IT hardware and systems. They should also be looking at their other assets, e.g. their brand, their people, etc.

Once these are identified, you must assess the risks associated with that asset and how it could impact the firm. With this information, the controls for those risks should be documented. You can’t be comfortable with the security of your firm if you haven’t been through this process.

5. No patch management

This is something that still doesn’t happen to the level that it should. Many firms still have no formal patch management strategy. I know that it’s painful for an IT department to do, but it is so important to get critical updates on machines as soon as possible. A significant percentage of hackers, viruses and Trojans use vulnerabilities in software to gain control over a device, so it needs to be done.

6. No staff training

The largest weakness of a firm’s security is its people. It’s imperative that people understand the risk they pose and how to be more aware of the threats. You’d be surprised how many firms I could breach within minutes by simply calling up, pretending to be a new member of the IT team and directing them to a web page to allow myself access. The risks around staff are huge and educating them is essential.

7. Device disposal

We are all aware of the risk of disposing of PCs, laptops and similar devices properly to ensure that no data is left on them. However legal firms scan and print large amounts of data and this also poses a risk. The information is sent to a printer’s internal disk before it is printed, be mindful that these disks will hold sensitive data, so ensure they are wiped or destroyed before you dispose of them.

8. Being lax

If you don’t take IT security seriously then you will suffer at some point. How badly you are affected is a game of chance. Do not think for a second that you are not at risk, or IT security can simply be seen as an IT department problem and leave your team to it. You need to take responsibility for IT security as you are most certainly accountable.

There are many more risks than this out there, but you need to shut the doors and windows before you start sealing the cracks.

Robert Rutherford, CEO of QuoStar