Statistics from PwC’s 25th annual Law Firms Survey show that cyber-attacks on law firms in the UK increased by nearly 20% between 2014-15 and 2015-16, with 73% of the top 100 law firms being targeted by cyber-attacks.
Holding a wealth of sensitive information, it is easy to see why the legal sector is an attractive target for cyber criminals and hacktivists.
With the rise in cyber-attacks on the legal sector showing no signs of abating in 2017, it is more crucial than ever to ensure you are fully protected against this kind of threat.
You may think password-protected access to your firm’s systems and data is enough, but passwords alone are notoriously unreliable. The reason for this is often human laziness, or trying to minimise the inconvenience of having to create and remember a robust password.
Reusing passwords or relying on an easy to guess password may reduce the incidence of employees forgetting their access information, but is much easier for a hacker to crack or guess. Conversely, a complex password may be so difficult to remember that an employee writes it down, or worse, loses it, thereby jeopardising the protection such a password is supposed to afford.
The International Legal Technology Association (ILTA) conducted a study which found that 60.9% of professionals employed by law firms believe that human error is the most significant risk to their law firm’s cybersecurity.
When employees stop working for you, additional risks arise if the accounts they use to access your systems and data are not promptly closed. Inactive accounts are an ideal target for hackers because they are often unmonitored and forgotten about.
So, what can be done to minimise these risks?
Two-factor authentication offers extra protection by requiring another step after entering your password before granting access. This other step could be:
Adding your fingerprint.
Inserting a smart card or token containing an identity credential into your computer.
Having a code or push notification sent to your phone, commonly referred to as a one-time password (OTP).
Verifying your identity using a Digital Certificate, also known as ‘Client Authentication’.
The type of authentication most suitable for each firm will vary, and is best considered on a case-by-case basis.
If an employee’s password is hacked, but the hacker is not in possession of the employee’s phone to receive a one-time password (OTP) then your data remains secure. Significantly, the push notification will alert the employee to a potential breach. Being able to see when your systems are under attack is just as vital as protecting against attack.
Another case whereby two-factor identification affords extra protection is in the case of an ex-employee who may now be working for a competitor, or who may have left under unsavoury circumstances. By requiring a password and a smart card or token to access your systems, you can ensure former employees no longer have access privileges by necessitating the return of this item at the end of their employment.
Data security is constantly evolving to meet the vast arsenal of cyber code which is hitting our networks. We can’t just worry about access through our Firewalls from the internet we need to now think of the insider threat the employee who makes a silly mistake which brings into the organisation malware or that sends sensitive data in error to a third party. It requires all areas of the business to be diligent on protecting their digital assets and for senior managers to maintain a strong position of data security to avoid data loss and also GDPR fines.