Cyber Security for Law Firms
Cyber Security for Law Firms : 15 Essential Controls
1. Implementing Strong Password Policies and Multi-Factor Authentication
Password security is a fundamental aspect for all businesses to undertake. Implementing strong password policies, such as requiring complex passwords and regular password changes, can help prevent unauthorised access to sensitive information. But a single password on its own is not enough to stop hackers so enabling multi-factor authentication is imperative to safeguard your accounts.
2. Securing Law Firm Networks and Devices
Securing the network infrastructure and devices used by law firm employees is crucial to protecting confidential information. This includes implementing firewalls, antivirus software, and encryption protocols to safeguard data in transit. Regularly updating software and firmware can also help patch vulnerabilities and prevent cyber attacks from exploiting known security flaws.
3. Encrypting Sensitive Data and Communications
Encrypting sensitive data and communications adds an extra layer of protection, ensuring that even if unauthorized parties gain access to the information, they cannot decipher it. By using encryption technologies to secure data both at rest and in transit, law firms can mitigate the risk of data breaches and protect the confidentiality of their clients' information.
4. Phishing Scams and Business Email Compromise
Educating your whole organisation on the latest email phishing scams is vital. Providing more rigorous training for your leadership team as well as finance teams and other sensitive practice groups will help thwart the success of business email compromise (BEC) attacks. Checking your mailbox forwarding rules and general inbox rules to see that they haven't been tampered with should become a regular fixture in your security checks.
5. Supply Chain and Third party security reviews
Having a thorough process in place for all third party vendors and particularly those that interact with sensitive firm or client data is essential. This goes beyond a contract review and should look at validating the security measures the vendor has in place to safeguard your data. If you are not happy then be prepared to walk away or insist on the right to audit.
6. Privileged Access Management Controls
Your technology teams should already be using the concept of ‘least privilege’ for all sensitive admin accounts. Having a secure vault in the form of a Privileged Access Management (PAM) solution in place will provide greater control and protection of sensitive admin accounts. These can be set to be used once only, time bound and rotated on a daily or weekly basis. Doing this will prevent account take over attempts, impersonation attempts and limit an attackers ability to gain control of your environment and maintain persistence.
7. Beyond MFA - Hardware Security Keys
MFA is a must for protecting all keys critical systems, but if you want to go one step further then using a hardware token such as Yubico will provide more robust protections against ransomware and account take over attempts.
8. Application White Listing
Application White Listing or Application Control is a key component of the ASD Essential 8. Many organisations avoid doing this as they perceive it to be too hard or costly to implement. The reality is that yes it is hard to do but with strong project management, the right processes, leadership backing and of course the right tools this security measure will pay dividends in protecting your business.
9. Monitoring
Monitoring all of your key systems and services and retaining logs for a minimum of 12 months will greatly enhance your organisations ability to uncover nefarious activity and to recover quickly if you are compromised.
10. Policies and Authority to Operate
Policies as bare minimum should be aligned to an international recognised standard such as ISO27001 and having an Authority to Operate process in place for all technology components will provide strong accountability and governance.
11. Vulnerability Management
Having a robust vulnerability management process and plan in place that tightly aligns to your organisations patch management regime is paramount to prevent attackers from exploiting the latest vulnerabilities in your environment. Attackers no longer take months or weeks to act on vulnerabilities, they are responding within hours of a vulnerability becoming publicly known! It’s an arms race and so if you are not patching your most critical vulnerabilities on your most sensitive systems within hours then you need to pick up the pace.
12. Security Awareness Training
Educate your people as much as possible and bring them on the journey with you so they become an extension of your security team. Phishing simulation tests will ensure your employees regularly practice their knowledge and keep on top of the latest threats.
13. Incident Response Plans and Table Top Exercises
The old cliche of everyone has a plan until they get punched in the face stands true! So make sure you have a plan and that it is regularly tested and that your leadership team undertake table top exercises at least annually. The purpose of the exercises should be a dry run of your processes, to test communication plans, are the controls you have in place work, does everyone know what to do.
14. Endpoint Security Controls
Not all endpoint security controls (EDR) were made equal 5 years ago but now most are catching up and are on a level playing field. So make the most of what you have and ensure you have it fully optimised. That means enabling automatic isolation of endpoints if they should become compromised so that they can’t harm the rest of your organisation.
15. Data Retention
Almost every data breach over the last ten years has one commonality: organisations are guilty of holding on to data beyond its sell-by date! So even if you think that doesn’t apply to you, take a long, hard look at the data you collect and store and identify opportunities for improving retention periods. This will include reducing liability concerns by deleting no longer required data.