Don't Forget to Share this Post

Cybersecurity Best Practices: How to Bulletproof Your Law Firm + Webinar Replay

By Amisha Shah | Tuesday, July 17th, 2018

A staggering 62% of UK law firms suffered a security breach in 2016, as reported in PWC’s annual law firms’ survey 2017. Such breaches are highly disruptive to daily business operations and firm reputation. What’s more is that they affect the bottom line and revenue too. Renowned privacy and data security researcher, Ponemon Institute, conducted a study on the ‘Cost of Data Breach’ and found that the average global cost of a stolen record was $141 in 2017. This, of course, varies per industry and is likely to be even higher for businesses operating in the professional services sector, e.g. legal and financial firms.

With highly sensitive information stored on any given law firm’s network, they’re an attractive target for cyber-criminals. And, we’ve seen these attacks becoming increasingly sophisticated and diverse in their approach to access such confidential data. So, firms must ensure that they have the right security practices in place and take ongoing actions to protect themselves and the clients they represent.

Along with Eze Castle Integration’s Executive Director, Dean Hill, our certified Business Continuity and Data Privacy Consultant, Matt Donahue, explored different threats in the landscape, their impacts, and shared top tips to bulletproof firms against them, in a recent webinar.

Below is a summary of key points of discussion, as well as the full webinar replay.

Threat Types 

Different threats in today’s landscape include:

  • Physical security attacks

  • Malware

  • Mobile theft device

  • Insider data leakage/theft

  • External hacking/DoS

  • Social Engineering

These are all typical threats to most industries and firm sizes. It is worth noting that not all threats are external, and that some of the more successful attacks need interaction from employees.

Having the Right Security Layers in Place to Become Bulletproof

With the right defence controls, planning and practices in place, cyber-threats can be avoided by law firms. However, the mindset of planning for failure is also important, to ensure complete cybersecurity preparedness if a breach does occur. Steps firms should follow to put layers of security into place include:

  • Identify – Cyber Assessments, IT audits, Network Inventory

  • Protect – Access control, Phishing Tests, InfoSec Training, Encryption

  • Detect – Vulnerability Assessments, Penetration Testing, Continuous Security Monitoring

  • Respond – Incident Response Planning, Remediation Services

  • Recover – Disaster Recovery, Security Policy Audit & Maintenance

Incident Response Planning to Fight Back

Unfortunately, the reality of facing threats is real for firms. And, the severity of an incident and its overall impact is often a direct reflection of the systems, safeguards and programs firms have in place to mitigate these risks.

Firms should have strong business continuity measures and an incident response plan in place to fight back. Successful incident response planning should include the following steps:

  1. Establishing an incident response planning team

  2. Identifying the type and extent of an incident

  3. Escalating incidents as necessary

  4. Notifying affected parties and outside organisations

  5. Gathering evidence

  6. Mitigating risk and exposure

Third Party Due Diligence with Vendor Risk Management

From a security perspective, as more firms leverage outsourced providers, it is important to understand the risks associated with various vendors and any third parties they interact with. Firms should access vendors for risks on at least an annual basis as part of ongoing third-party due diligence.  

Making Your Employees a Cybersecurity Asset

The threat landscape is everchanging, with firms falling victim to increasingly sophisticated cyber-attacks. This calls for firms to consider the human factor in becoming bulletproof.

Making employees a cybersecurity asset involves ongoing training and testing. Regular InfoSec training and simulated phishing tests are a ‘no-fault’ way of assessing whether employees can recognise suspicious emails or requests they are likely to come across in real life. Subsequently, firms can train employees in weaker areas accordingly, bridging any gaps in security.

Take a look at this short webinar replay to learn top tips to bulletproof your law firm against cyber-threats and criminals.



Don't Forget to Share this Post

Related Posts

How Can Eze Castle Integration help you?Contact us today!