Our thoughts in light of the recent Allen & Overy data breach
In 2023, ransomware, data breaches and other malicious cyberattacks continue to pose a significant risk for law firms. Legal firms hold and handle extremely sensitive client data, including confidential documents, personal data and more. The recent cyberattack on the ‘Magic Circle’ law firm Allen & Overy underlines how a successful attack could not only paralyse your firms’ day to day operations and lead to huge financial losses but also severely damage your client relationships and your firm's reputation.
Now more than ever it’s important to implement strong cybersecurity protections and data backup systems. This article provides an overview of key strategies and best practices law firms should adopt to defend against ransomware, cyberattacks and data loss.
Slow the threat of a data breach by implementing strong identity management and access controls
One of the most crucial steps you can take is implementing access controls designed to be robust and all-encompassing. Research suggests most cybercriminals often gain entry through stolen or weak credentials. You should enforce strong password policies requiring long, complex passwords that are changed frequently.
Multi-factor authentication (MFA) should be enforced for all accounts and key applications. This adds an extra layer of security by requiring your employees to verify their identity with a second factor like a unique code sent to their mobile phones. This prevents criminals from gaining entry to accounts even if they steal user passwords.
Role-based access control is a secondary step to restrict user permissions to only systems and data needed to perform their jobs. Controls like user rights management systems can selectively restrict access and activities. An example, external users would be blocked from accessing confidential case files.
Consider implementing strong identity management and access controls
One of the most crucial steps you can take is implementing access controls designed to be robust and all-encompassing. Research suggests most cybercriminals often gain entry through stolen or weak credentials. You should enforce strong password policies requiring long, complex passwords that are changed frequently.
Multi-factor authentication (MFA) should be enforced for all accounts and key applications. This adds an extra layer of security by requiring your employees to verify their identity with a second factor like a unique code sent to their mobile phones. This prevents criminals from gaining entry to accounts even if they steal user passwords.
Role-based access control is a secondary step to restrict user permissions to only systems and data needed to perform their jobs. Controls like user rights management systems can selectively restrict access and activities. An example, external users would be blocked from accessing confidential case files.
Update and patch your key business applications and systems
Vulnerabilities in outdated software continues to be a leading attack vector for cyber criminals. You need to ensure all your operating systems, business applications, browsers and other software are running the latest and greatest versions. Patch management processes should be implemented to guarantee timely installation of all critical software security updates.
The same focus needs to be applied to devices in your network such as routers, firewalls, and VPNs. Your security policies must routinely enforce immediate patching of any discovered vulnerabilities before cyber criminals can exploit them. Making use of automated patch deployment solutions can streamline this update processes.
Make use of freely available endpoint protection tooling
Through your existing licenses and subscriptions, it’s likely you already have access to advanced endpoint security solutions, and you should ensure these are installed across all devices, including desktops, laptops, mobile phones, and servers. This gives you an additional layer of protection against malware, ransomware and phishing attacks trying to infiltrate the network.
Other key capabilities you should be looking at closely is antivirus software, firewall solutions, endpoint detection and response tools, intrusion prevention and URL filtering software should be implemented. Additionally, email security solutions and secure web gateways defend against threats delivered over email or the web.
Security awareness is inexpensive but invaluable to preventing a data breach
Basic human error and gaps in cybersecurity awareness still account for the majority of data breaches. You need to ensure all your employees complete frequent security awareness and phishing simulation training. This makes your staff more mindful of vulnerabilities and equips them with the right skills to to identify risky activities like dubious emails. Defining and sharing robust security policies and processes will provide added guidance.
Don’t neglect access controls for mobile devices
Mobile devices installed with firm apps and data introduce another layer of risk, especially if they are lost or stolen. Widely available remote wipe software can automatically delete data if a device is found to compromised, lost, or stolen. Consider using Mobile device management (MDM) tools designed to apply access controls, data encryption and more. Your policies need to enforce device-level protections and authorise access to only appropriately secured devices.
Back up everything and test frequently
There is no guarantee any one security precaution is 100% secure or fool-proof. Basic human errors, unpatched vulnerabilities and or even unavoidable hardware failures could still expose data. That's why maintaining complete backups that are isolated from your network is important. Backing up your critical data locally as well as to a cloud provider ensures access to data no matter what.
Consider implementing an automated backup process that runs on a regular schedule, such as nightly or weekly. The 3-2-1 backup rule encourages maintaining at least three copies of your data on two different media types, with one copy stored offsite. Testing backups regularly to verify integrity and ability is a logical next step businesses often neglect. As you backup your data, ensure you have processes in place to regularly test and restore your backups to a test environment to ensure things are working as they should.
While endpoints and servers should have some backup capabilities, firms must also maintain separate and isolated backup repositories. Only a minimal number of authorised IT staff should have access to prevent mistakes. Air-gapped, offline backups provide an added layer of protection from cybercriminals seeking to infiltrate the network to access data.
Secure by Design mindset
Viewing your IT through a security-first, ‘secure by design’ lens is critical, especially when designing and configuring your infrastructure. Your network should be segmented into subnets and virtual local area networks or ‘LANs’ to prevent freedom of movement across systems. Role-based access controls and privilege separation should be a key design consideration as you construct your network.
Change default passwords on all your systems and software, close down unnecessary ports or services that could provide attack vectors where possible and enable built-in encryption technology to protect your data at rest and in transit.
Read-only access where appropriate
Read-only capabilities should be implemented for an added layer of protection and security against ransomware and cyber threats. You should consider deploying read-only and immutable file storage and backup data stores where appropriate. Why is this important? Well, when you store data in formats that are impossible to modify and tamper with, you prevent file corruption and loss. Many cloud providers today offer cost-effective services which give you access control and file versioning options to support data recovery.
Where possible, harden and tighten physical security
If you are a law firm which maintains and operates servers in back-office rooms and cabinets, there are significant security risks. Mitigate against these risks by implementing safeguards like physical entry access controls, locks, alarms, and CCTV help prevent unauthorised access that could lead to hardware theft or physical tampering. Your servers should be mounted in locked racks and desktops secured with secure, tamper-proof locks.
Consider background checks on key technical personnel
It’s fairly common for law firms to work with managed service providers (MSPs) to provide cybersecurity services such as SIEM monitoring, endpoint protection, firewall management and backup services. It’s critical you appropriately vet, background check, and seek reference checks for technical staff. Other steps you should consider include security training, certification checks and other audits to ensure the providers of your IT are appropriately qualified and their own security levels need to match or exceed the firm's.
Threat and risk assessments to understand your exposure to a data breach
On a quarterly basis or whenever there are major changes to your technology footprint, consider running security risk assessments and threat evaluations to design the appropriate safeguards needed to mitigate risk and protect your network. You can either deploy your internal security staff or use third-party cybersecurity organisations to conduct assessments ranging from high-level reviews to penetration testing.
Regularly test your incident response plans
Experienced cybersecurity professionals understand that despite best efforts, sometimes, cyberattacks succeed. To prepare for such scenarios, you need a detailed and comprehensive incident response strategies and plans in place to detect, respond and recover from crippling attacks. Your plans need to define team roles and responsibilities along with processes for identifying breaches, mitigating and reducing the risk of further damage, notifying your clients and following your defined backup processes to restore normal operations.
Run tabletop and simulation exercises to regularly test these plans. Capture lessons learned from these exercises and change and adapt your plans accordingly. Execute these regularly enough and responding efficiently and appropriately becomes second nature for you and your team.
Cyber insurance remains vital for organisations
Read our article on why Cyber insurance is now considered essential for law firms. The right policies can offset costs from costly ransomware payments (where legal), data recovery, legal services, PR crisis management, business interruption and liabilities arising from client complaints after a devastating breach. Define the ‘worst-case’ scenario for your firm and make sure your coverage limits adequately cover potential losses based on this scenario.
You should engage insurers who provide you pre-approved vendor and cybersecurity organisation lists as well as threat intel and data loss prevention guidance.
Firms should favour insurers providing pre-approved vendor lists, threat intelligence sharing and loss prevention guidance. Requirements like multi-factor authentication, endpoint detection or employee training may earn premium discounts. Consult qualified insurance brokers to negotiate optimal terms.
The critical need for cyber liability insurance
Cyberattacks on businesses are sharply escalating year on year, with over 40% of companies experiencing a breach over the past 12 months according to some estimates. The average cost of a data breach now exceeds £3.1 million. The risks of mass theft of data, crippling ransomware, DDoS, and other cyber form of attacks represent a serious threat all organisations face today.
Cyber liability insurance provides critical financial protection against significant costs which often follow major cyberattacks. For most businesses, having appropriate cyber insurance coverage in place is a key requirement. However, it's important to understand key considerations in identifying the right policy for you and selecting a provider to meet your specific needs.
Why cyber insurance matters in a data breach
The cost of ransomware can be damaging and can quickly spiral out of control. Costs range from fees spent onbringing in PR and crisis management organisations, forensic investigators, and technical experts to assess and recover your environment, extortion payments as well as potential regulatory fines.
Cyber liability policies are specifically designed to offset costs associated with data breaches, cybercrimes, privacy violations and digital security incidents. Ensuring you have this coverage is essential given most general liability policies exclude cyber risks.
For more information on what to look for and how to select the right policy, check out our in-depth guide on Cyber Liability Insurance.
Conclusion
The sensitive client data stored by law firms make them prime targets for ransomware, data breaches and cyber espionage. While cyberattacks are becoming more sophisticated, firms can manage risks through a layered defence combining technology safeguards, strong policies, training and insurance.
Proactively following best practices like MFA, patched software, secure system design, strong endpoint protection, controlled access and frequent backups is key. You should also verify through testing that your security controls are working as expected. With the regulatory requirements and liability risks facing legal practices today, making cybersecurity a top priority is imperative.