When it comes to hiring IT support for law firms, too many practices are stopping short of making the cybersecurity investments they need. In fact, according to the American Bar Association Tech Report, nearly half of all firms are missing one or more of the key cybersecurity tools they need to stay safe. This is particularly concerning given that globally, cyberattacks in the legal industry are up 13% to 1055 attacks a week, according to a recent report by Checkpoint.
There are many reasons why the cybersecurity landscape is getting more difficult for law firms. AI has lowered the barrier to entry for hackers, making it possible for non-programmers to code custom malware and create believable deep fakes and phishing scams within seconds. More scammers than ever are out there, and they are recognizing that smaller companies and consultancies–like law firms–represent a high-stakes, high-reward target that’s easier to breach. With law firms lagging many other industries in cybersecurity investments, those scammers aren’t exactly wrong.
When you’re running a lean practice administration, it’s tempting to let the ever-growing list of cybersecurity concerns fall to the bottom of the priority list. Don’t let your firm be an easy target. Let’s dig into the areas many law firms neglect when it comes to cybersecurity, and what you can do to create scalable, affordable security options for your firm.
IT Support for Law Firms: Common Cybersecurity Pitfalls
Law firms face unique cybersecurity challenges due to the sensitive nature of their work. Here are some common pitfalls:
Data Handling and Compliance
Law firms face unique cyber security challenges because of the highly privileged data that they handle. Because of this, it’s essential that you have an encrypted and secure method to transfer files back and forth between you and your clients. Many law firms are already using specialized document management software that’s designed specifically for law firms, and that’s a great start.
Firms are likely to trip up, however, around issues of data handling compliance. Your firm will be required to follow the same data management protocols that your clients must follow. That means if you ransferring HIPAA-bound patient data between you and your client, you’ll be required to follow regulatory guidelines for handling that data. The same goes for client transaction data that’s covered by GDPR, or sensitive government manufacturing data that might be covered by CMMC regulations for government contractors.
Clients like these will require you to show proof of your good cybersecurity hygiene before they start to work with you. The good news is, law firms who make these investments up front make themselves very attractive to new clients with a heavy regulatory load.
Social Engineering and Phishing Attacks
Law firms are in a “high demand ” field that requires lots of detailed client interactions. Because of this, law firms are uniquely vulnerable to well crafted social engineering attacks designed to get your staff to give up valuable secrets. Here are some examples of common social engineering hacks, and how they might play out at your firm:
Spear Phishing:
Targets specific individuals using personalized information to make the attack more convincing. Example: An email to a senior partner referencing recent cases to request sensitive information.
Whaling:
Targets high-profile individuals such as executives or senior partners with highly customized attacks. Example: A call to a managing partner from a major client requesting urgent action on a legal matter.
Business Email Compromise (BEC):
Attackers gain access to business email accounts to conduct unauthorized transactions or gather sensitive information. Example: Fraudulent invoices sent to clients from a compromised finance manager’s email.
Pretexting:
Creating a fabricated scenario to trick someone into divulging information or performing an action. Example: A call from “IT” asking for login credentials to fix a network issue.
Baiting:
Offering something enticing to lure victims into a trap, such as downloading malware. Example: USB drives labeled “Confidential” left in the firm’s parking lot.
Vishing (Voice Phishing):
Using phone calls to trick individuals into revealing personal information. Example: A call from “the firm’s bank” asking for verification details.
Smishing (SMS Phishing):
Sending fraudulent text messages to trick recipients into revealing information or downloading malware.
Watering Hole Attacks:
Compromising websites frequently visited by the target organization, infecting them with malware. Example: A legal news website infected with malware that targets visitors from a specific law firm.
Deepfake Attacks:
Using realistic but fake audio or video to impersonate someone in a position of authority.Example: A deepfake call from a major client instructing a fund transfer.
Social engineering attacks are getting incredibly sophisticated and far more difficult to spot. Take for instance, the recent story of a bank finance worker in Hong Kong who was duped into transferring more than $20 million dollars to scammers that deep-faked a video call. Failure to train your team to spot scammers can cost your firm and your clients alike.
Poor Planning, Patching, Monitoring, and Documentation
Most small and mid sized firms don’t have the budget to have a large and diverse internal IT department. Because of this, many firms are missing some of the key it governance tasks that help keep your cyber security operations running properly. Common gaps include:
- Failure to patch existing programs or run updates in a timely matter, leaving your firm wide open to known vulnerabilities
- Lack of written down plans for outages or disasters, so no one knows what to do when the worst happens
- Inadequate backups that result in critical lost data
- Poor monitoring of your systems, so patterns are not noticed, and anomalies go unchecked
These small oversights can add up over time and significantly affect the health of your systems. Even worse, you’ll have no written proof of your firm’s good cybersecurity policies and procedures. If you’re incoming clients are auditing your cyber security practices, or your firm is applying for a cyber risk insurance policy, you’ll come up empty handed.
(CTA: Law Firm Report)
IT Support for Law Firms: Key Cybersecurity Tools
At Integris, we believe in a comprehensive approach to Responsible IT Architecture. We offer a managed suite of cybersecurity tools engineered explicitly for law firms. While we won’t get into all of them here, this is a rundown of some of the more important tools a law firm should have in its cybersecurity defenses.
1. Encryption
Encryption is a fundamental tool for protecting sensitive data. It ensures that even if data is intercepted, it cannot be read without the decryption key. According to the American Bar Association (ABA) TechReport, 48% of law firms have file encryption available, and 42% use email encryption. Implementing encryption for both data at rest and in transit is a critical step in securing client information.
2. Disaster Recovery
A comprehensive disaster recovery plan is essential for law firms to quickly recover from cyber incidents, natural disasters, or other disruptions. The ABA TechReport highlights that only 53% of law firms have a disaster recovery/business continuity policy. This plan should include regular data backups, both on-site and off-site, to ensure data can be restored in the event of a breach or loss. Is there a written disaster recovery plan for your firm that details who to call, what to do, and what roles are in the event of a major cybersecurity breach, natural disaster, or outage? If not, now is the time to close that gap.
3. Security Awareness Training (SAT)
Human error is a significant factor in many cyber incidents. Security awareness training helps employees recognize and respond to potential threats, such as phishing attacks. The ABA TechReport notes that 75% of law firms provide some form of technology training, which includes cybersecurity awareness. Regular training sessions can significantly reduce the risk of successful cyberattacks. Today’s options for SAT are easy to administer, with short, monthly online training that comes with graded quizzes and completion certificates. The documentation it generates is a great asset to prove your cybersecurity hygiene to insurers, vendors, or potential clients.
4. Endpoint Monitoring
Endpoint monitoring involves tracking and analyzing activities on devices connected to the firm’s network. This helps detect and respond to suspicious activities in real-time. Tools like antivirus software, firewalls, and intrusion detection systems are commonly used. The ABA TechReport indicates that 80% of law firms use spam filters, and 76% use software firewalls. Implementing comprehensive endpoint monitoring can prevent unauthorized access and data breaches.
5. Multi-Factor Authentication (MFA) in a Zero Trust Environment
Multi-factor authentication (MFA) adds an extra layer of security by requiring users to provide two or more verification factors to access systems. Despite its effectiveness, the ABA reports only 54% of law firms have MFA available. In a zero trust environment, where no user or device is trusted by default, MFA is crucial for verifying identities and preventing unauthorized access.
6. Written Cybersecurity Policy and Documentation
Having a written cybersecurity policy is essential for establishing clear guidelines and procedures for protecting data. The ABA TechReport reveals that 80% of law firms have one or more policies governing technology use. These policies should cover areas such as remote access, internet usage, email use, and incident response. Proper documentation ensures that all employees are aware of their responsibilities and the steps to take in the event of a cyber incident.
IT Support for Law Firms Starts with Good Cybersecurity Best Practices. Integris Can Help.
If you’re interested in stepping up cybersecurity at your law firm, Integris can help. We built our business on empowering law firms with the IT infrastructure and services they need to succeed. Interested in learning more? Contact us for a free consultation.