Campbell McKenzie, Forensic Technology Expert and Cyber Security Consultant at Incident Response Solutions, shares an overview into key issues that law firms need to be aware of, to prevent cyber attacks and data breaches. With new technologies being adopted, new risks are introduced, and it is imperative that your law firm can respond effectively to such attacks.
Recent advances in cloud and legal technologies are enabling law firms to transform their information systems. These new technologies present business opportunities; however, they also introduce new risks.
A cyber-attack or data breach at a law firm has the potential to cause reputational damage, financial loss and disruption. Law firms store large quantities of sensitive client information and process significant financial transactions on behalf of their clients, and these activities present a rich target for cybercriminals
All law firms and lawyers in sole practice have obligations as an agency under New Zealand’s Privacy Act, including ensuring that security safeguards reasonably protect information held against loss and misuse. The Privacy Act 2020, strengthens these obligations further by adding requirements such as the mandatory notification of harmful privacy breaches. Therefore, it is imperative for law firms to proactively manage their cyber-risk and prepare to respond effectively to any attack or breach.
As a law firm’s information systems are an attractive target, cybercriminals will go to great lengths to compromise them using a variety of attack types.
Current research suggests that Business Email Compromises (BEC) have risen significantly in 2020. Based on our experience of responding to actual incidents in New Zealand, we consider that a BEC attack carries a sizeable impact for a law firm. In fact such attacks have become so common that the New Zealand Law Society now has a dedicated Practice Resource on their website.
A BEC typically starts with a phishing attack whereby the attacker changes or “spoofs” an email address to make it appear legitimate. The attackers convince the unsuspecting email recipient to enter their login credentials to access a file. The attackers then use the compromised credentials to review the victim’s emails, and forge invoices to their own bank account.
Lawyers should consider the following cyber-security measures:
- Enable two-factor authentication (2FA) on all accounts and use long and unique passwords.
- Implement processes to verify invoices and account details for money transfers.
- Conduct cybersecurity user awareness training for staff and educate your clients about your firm’s financial processes to avoid them falling victim to a fraud.
- Instigate ‘cooling-off’ periods for changing account details for high-value transactions.
To manage your firm’s wider cyber risk, a suitable framework such as the National Institute of Standards and Technology (NIST) cybersecurity framework will enable you to assess maturity across the five functions: identify, protect, detect, respond and recover. The New Zealand government recommend this framework which can also help your firm instigate a structured cybersecurity improvement programme.
While protecting and detecting cybersecurity incidents is crucial, it is also vital that a law firm plan to respond to any potential compromise effectively. A cyber incident response plan configured for your law firm is a key tool in dealing with a privacy breach and helps to ensure a smooth response and recovery. A tabletop simulation will ensure that your plan is effective.
It may not be possible to prevent all cyber-attacks; however, it is possible to minimise the impact of any breach to your firm with sufficient preparation. Our top cybersecurity tips for Law firms are listed below:
- Cloud Computing: When sharing documents on a cloud platform, ensure you set the correct permissions.
- Websites: Beware of suspicious websites sent via email. Read the following training resource from the New Zealand Domain Name Commission
- Social Media: Be careful about what you share. The more you post, the easier it is to have your identity stolen.
- Emails: When receiving emails, be careful with links and attachments. Ask yourself:
- Do I know this person and is this their usual email address?
- Does this email subject look unusual? Is there an attachment?
- Does the email ask me to visit a website, send personal information or reply immediately?
- Invoice hijacking: Warn your clients never to send funds to a new account without speaking to your firm first. Remind clients to check the addresses of any emails purportedly sent by your firm, particularly if they relate to the payment of funds.
- Working Remotely: Avoid transferring confidential information over public Wi-Fi networks. Use a Virtual Private Network (VPN) and ensure that your remote software is up to date.
- Password and Access Management: Use a password management system. Apply multi-factor authentication (MFA or 2FA).
- User Training and Awareness: Ensure your staff receive appropriate training so that everyone is aware of their role in keeping the firm secure. Additional recommended training resources:
Further information about all of the issues discussed above and more can be found in the Cybersecurity Guide for Law Firms available here.