Practical steps for young lawyers to mitigate cyber threats
By Motunrayo Akinyemi
The advancement in the use of technology in the corporate world suggests the need for all professionals especially lawyers, law firms and the entire legal industry to protect itself against increasing cyber threats and evolving cybersecurity landscape. The legal industry is not immune from cyber-attacks. Therefore, it is important for lawyers to identify and document asset vulnerabilities by answering these questions:
- What makes our practice attractive to cyber criminals?
- What information do we obtain from the client?
- How is this information stored?
- Who has access to this information?
From the foregoing, it is right to state that lawyers do utilise and keep highly sensitive and confidential information of their clients such as names, email addresses, home addresses, business secret, details of transactions and other sensitive information. Consequently, lawyers and law firms have become prime targets to cyber attackers who want to steal this information for their dubious use.
According to the Ponemon Institute Report 2017, the average cost of data breaches incurred by organisations increased from $3.62 Million in 2016 to $3.86 Million in 2017. The key factors for the increase in cost were found to be; security automation and the extended use of Internet of Things (IoT) devices. From the reports, it is evident that organisations need to double their efforts in protecting their important assets.
How can lawyers protect themselves from cyber risk?
Mitigating Cyber Risks/Threats
The use of security mechanisms: Users should install Endpoint Protection Software (anti-virus, anti-spyware, user-based firewall, anti-malware,) and intrusion detection/ intrusion preventive systems.
Firewall: The firewall acts as a protective layer between the user and the internet with the duty of tracking and analysing data exchanged between the computer and the server. Ensure the firewall on desktops/laptops are switched on to prevent unauthorised access.
Password Management: Users should establish strong passwords on all devices, create different passwords on various websites, and for practical guidance, passwords should include; numbers, upper and lower case letters, symbols and so on. For ease, users should download password manager softwares such as 1password and LastPass. Also, it is advised that users desist from automatic log-on functionality, change default passwords, and desist from storing password using weak encryption or hashing algorithms.
Public Wi-Fi: Users should avoid the use of public internet access. An unsecured WI-Fi connection is susceptible to threats as hackers can use it to distribute malware or launch a man-in-the-middle attack. If a user intends to connect to an unsecured Wi-Fi connection, the user could; make use of a virtual private network (VPN), ensure that every connection initiated to a web server is secured by a TLS/SSL connection, turn off the sharing option, and turn off the Wi-Fi when it is not needed.
Social Engineering: This is a common psychological manipulation technique used by cyber attackers to trick innocent users into handing over confidential or sensitive information. It is advised that all personal identifiable information is not unnecessarily disclosed online. For example, answers to secret questions such as mother’s maiden name should not be stated except during the initial registration on a secured website. Other techniques used are phishing mails appearing to be from a bank, pretexting and false court notice to appear etc.
Data Encryption: This is the conversion of data from a readable format into a coded form that can only be read or processed after decryption. The use of encryption will guarantee safety of the user’s information sent between a browser and a server such information include; Personal Identifiable Information (PII), payment data information and so on. Therefore, the use of encrypted mail service such as ProtonMail, and file sharing will be advised. In the event where a user cannot access encrypted email or file sharing device, files should be zipped with a password.
Software Updates: Users should update the software on their devices regularly because these updates usually fix or eradicate computer bugs, prevent the spread of viruses on other devices, protects data on the device, and patch security vulnerabilities.
Cyber Training: Users are advised to read up on cyber updates on latest threats, educate and train employees on how to avoid risks. Also, treat suspicious emails and unknown client inquiries. For example, ensure attachments from suspicious emails are not downloaded to the desktop/personal computers.
Incident Management: This involves the management of cyber risk which could be done by in-house expertise or by 3rd party experts who carry out forensic investigations in the event that a breach occurs. It is extremely crucial that the plan is approved by the management of the firm and they are also carried along when consequential changes are done to the said plan. The incident response plan should contain the following:
- Identification of the asset to be protected;
- Identification and allocation of responsibilities in the event of a cyber security incident;
- Engage 3rd party experts or in house expertise for incident response / forensic investigations in case of a cyber breach incident;
- The equipment and technology to detect and address a cyber security breach;
- Containment strategy by disconnecting systems immediately or collect evidence against the cyber attacker who perpetrated the system;
- Communication strategy for internal and external stakeholders and law enforcement agencies.
In conclusion, it is critical to note that total prevention from cyber-attacks is impossible and it is the duty of stakeholders in the legal industry to take a risk based approach to ensure protection and mitigation of threats. The industry regulators should create standards and cybersecurity guidelines. It is also advised that lawyers purchase cyber-liability insurance or engage technology vendors who offer cyber insurance to cover liabilities in the event of a breach. It is crucial to have a cybersecurity policy and hygiene well immersed into operations and all layers of their organogram. Finally, law firms can prepare an incident response plan in the event that the inevitable occurs to prevent irretrievable loss of assets.
By Motunrayo Akinyemi (@Mssrayo), Lagos, Nigeria.