The importance of password security for law firms– our Five Top Tips

Category: Blog, Case Management, Practice Management, Staying Compliant 17th December 2019

Despite the importance of password security being increasingly publicised, a recent UK study on behalf of the National Cyber Security Centre (NCSC) showed that 23.2 million of breached accounts were using “123456” as the password. “qwerty”, “iloveyou” and “password” are also near the top of the list of regularly used passwords.

Protect your employees

With the ongoing digitisation of the legal sector, clients and law firms alike are moving into an increasingly cloud-based environment. Whilst there are undeniable benefits in doing so, it’s now more important than ever to protect sensitive client and business data.

Cyber security shouldn’t just be treated as just the concern of the IT department. Tessian’s Psychology of Human Error Report found that 85% of data breaches are caused by human error. This is why it’s crucial law firm’s protect their employees and provide training to avoid future data and cyber breaches.

We recently read with interest a real world example which highlighted the importance of proper password security. It serves as a timely reminder of the consequences of using a weak password…

Example: How qwerty can lead to 500 fraudulent invoices

The business received a report of a compromised user account at the start of business on Monday morning. The IT department began an investigation into the breach and found that the user in question had been using “qwerty” as their password.

On the previous Friday, the attacker used what is known as a password spray attack to guess the correct password. A password spray attack is an attempt to try commonly used passwords against a user or group of users. It puts users with weak passwords at great risk.

As a result of the user having a weak password, the attacker gained access to their account. They proceeded to use the user’s address book to send out 500 fraudulent invoice emails to customers over a handful of hours.

The recipients of the emails believed that the sender was a trusted source and not a spoofed email address. This can lead to more people falling victim and further dire consequences for the business.

Access to the user account was restored on Monday morning when the user alerted the IT department. However, this was three days after the attack and gave the attacker time to set up rules to mark all incoming emails as read and then delete them permanently.

Tactics like this cover the tracks of the attacker and make it harder to identify where the 500 emails were sent.

This is just one example. Had the attacker gained access to a user with global admin permissions this attack could have been far worse and had longer lasting consequences. Attacks like this can lead to confidential client and financial data being lost and/or disclosed by the law firm in question. For this highly regulated industry the consequences can be devastating.

Five top tips for improving password security

Protect your law firm’s client and business data with these top 5 tips for strengthening your password security.

1. Create strong passwords

The NCSC recommend the use of three random words that are easy to remember but hard for someone that knows you to guess in 20 attempts.

Therefore, avoid using personal information in your password. Details like birthdays, family and pet names and even your favourite band can be obtained quite easily by potential attackers though social media or phishing attacks.

Most websites will now give you an indication of how strong your password is and require certain criteria to be met on password creation. The use of numbers, symbols and a combination of upper and lower-case letters can also be used to strengthen passwords. Try to avoid using numbers in sequence.

2. Separate your personal and work passwords

Do not use the same passwords for multiple accounts. This will reduce the impact of a personal account being compromised upon your work life and vice versa.

3. Protect your passwords

It can be difficult to remember the variety of passwords needed across your personal and business applications, but always be careful about where you record that data.

Password managers can be an ideal solution but ensure you do your research first as there are benefits and disadvantages to these services. Handwriting them on a post-it note is not recommend for office workers, but can be a safe solution if you work at home as the general public won’t have access.

4. Two factor authentication

Many websites and services now offer the option to enable two-factor authentication (2FA), which provides a way of double checking your identity and preventing unauthorised access to your accounts. Sometimes this works by sending you a secret code to your mobile device as well as asking for your username and password.

Using 2FA is vital on services that contain sensitive information, especially email services. If a potential attacker gains access to your email account, it will give them the opportunity to gather information about you, and could potentially give them an avenue to access more accounts through resetting your passwords.

The Osprey Approach solution requires 2FA for all users to increase the protection of your client, case, and financial data.

5. Be aware of your environment when entering your passwords

It’s essential to always ensure you are on a secure network when entering your password. If you are on a hotspot then use a VPN to secure your connection to prevent others from capturing your information as it’s sent.

If you don’t have a VPN service use your phones 4G connection or wait and find a secure connection elsewhere. Be careful when entering personal information in public environments; prying eyes could be close by and you should exercise the same amount of caution you would when entering your pin number at an ATM or card terminal.

Additional cyber and data resources:

The NCSC has published a list of the top one hundred thousand compromised passwords.

Have I Been Pwned is an excellent resource where you can check whether any of your accounts have been compromised in a website breach.

View our comprehensive guide to data and cyber security for law firms.