Cyber security: best practices for law firms

Category: Blog, Practice Management, Staying Compliant 28th April 2020

In the first half of 2020, law firms advised the Solicitors’ Regulation Authority that nearly £2.5m of money held by them had been stolen by cybercriminals – that’s over three times the amount reported in the first half of 2019. In the first two months of national lockdown alone, there was a 337% rise in phishing scams.

Keep your law firm secure by implementing cyber security best practices that help to protect your client’s data, reduce human error, and decrease data breaches.

The change in working environments and processes during the COVID lockdowns often meant that law firm’s policies for data security and cyber awareness relaxed. It was no longer a priority which cyber attackers exploited.

The cost of a cyber-attack for any law firm could be detrimental to survival. The cost, client, and reputations damages can be severe which is why implementing a data and cyber security policy and following best practices should be a priority.

10 tips for improving cyber security in your law firm

Consider these security tops and best practices that help you strengthen internal processes and take advantage of legal tech to keep your law firm secure.

  1. Implement a data & cyber security policy at your firm

Most breaches (85%) are caused by human error (according to Tessian’s Human Error Report) and so creating a policy that is clear and easy to follow will help to educate and protect your employees, therefor your business. As part of the policy ensure to prioritise regular team training, document requirements such as 2FA where possible, and identify best practices to follow, such as strong passwords, to stay secure.

2. Choose a strong password

The most frequently used passwords are 123456 and password. Others often used include QWERTY and abc123.

Avoid using personal information in your password like birthdays, pet names, or family members. The National Cyber Security Centre recommends the use of three random works for example, or try using the first letters of a random sentence you can remember.

Most websites will require a certain criteria to be met for password creation, so it’s best practice to use a mixture of numbers and letters, upper and lower case, numbers and special characters.

For more information on how to keep your work secure be sure to read our top five tips for password security. 

3. Mandate regular employee training

Prevention of data breaches and cyber attacks starts with education. Being aware of cyber security is vitally important, especially as new methods are always on the horizon. Ensure your staff are regularly taking training cyber security data courses so they’re aware of the dangers and are kept alert. It’s likely a data breach will start with your employees so it pays to keep training a priority.

4. Be aware of phishing emails

According to CISCO’s 2021 Cyber security trends report, phishing accounts for around 90% of data breaches. Your firm should at the very least be aware of, able to spot, and avoid phishing emails to significantly reduce your chance of a cyber attack.

Anti-spam and anti-virus filters should be implemented, but to reduce risk further ensure your team are taking the necessary precautions to external emails they’re unsure of, or have attachments, or appear suspicious. Training providers and platforms can perform test phishing attempts in your organisation to help identify those who need further training to strengthen your security measures.

5. Be selective with your software providers

The legal technology you choose to implement can help to improve the security of your data. Ensure to understand how and where your data is held and protected to effectively vet potential vendors. For example, when using Osprey Approach, 2FA is required, your data is held in UK data centres which are ISO27001 compliant, and the data centres have 24/7 security including InfaRed perimeter fencing, CCTV, and biometric entrances / exits.

6. Two-factor authentication (2FA)

2FA requires two separate steps to prove your identity upon logging into an application. It’s a simple, but very effective way of improving security measures across your firm.

ICO issued an almost £100,000 fine to a top criminal law firm who experienced a cyber attack because the firm’s compliance ‘was not of an appropriate standard’ and they had left ‘weaknesses to exploit’. The firm had not used multi-factor authentication for remote access to its systems, despite it being recommended since 2018.

7. Stay up to date

Ensure your devices, applications, software, and technology are kept up to date. Cyber attackers attempt to find weaknesses and breach points within software applications, by keeping your devices up to date, you’re reducing your chances of vulnerabilities. This is the same for hardware that has outdated operating systems that no longer receive updates. If something has gone ‘end of life’ you’re not longer protected by up to date software patches so your data and infrastructure can be vulnerable.

8. Mobile device management (MDM)

Unlike a desktop, phone and tablets are more likely to be misplaced or stolen. For this reason, implementing MDM helps to protect devices in the event of them going missing by disabling Bluetooth access, requiring eight-character pins, and options to wipe company data remotely.

MDM isn’t expensive to implement and comes with the Enterprise package from Microsoft 365.

9. Reduce reliance on emails

Emails have become an integral part of business communication and create a quick and easy way to do business. However, they now carry a high cyber-attack risk and can easily be intercepted or mistaken for a genuine email when actually it’s part of a cyber attacker’s phishing campaign.

By reducing your reliance on emails you can decrease your risks of email associated cyber attacks. Protect client’s data by offering a secure client portal that enables you to communicate and collaborate with clients in a centralised platform. Osprey’s web portal is protected by the same high-level measures as the case management software it’s self, so sensitive data and documents can be shared at a lower risk.

10. Plan for the worst-case scenario

Implementing best practices will help you to mitigate risk but there’s always a chance the worst may happen, therefor you need to be prepared for what will happen.

There are many cyber security agencies that can help you to create and test a disaster recovery plan in the event of a data breach to help reduce damage.

Tools that aid law firm cyber and data security

Microsoft’s 365 Phone System

Implementing a cloud-based telephony service enables your firm to easily manage a hybrid team, but also offers greater security and advanced functionality over traditional phone systems.

The Osprey practice & case management software solution

The protection and security of your data is of paramount importance to us. Osprey helps your firm stay protected and compliant to ensure business continuity and quality client care.

Osprey helps to protect your data by using secure software features such as:

  • Two-factor authentication: verifying user identities is required via 2FA to secure logins
  • Role-based permission: restrict visibility of sensitive case information to only those who need to know
  • Data centre security: the UK data centres are protected with industry-leading firewalls, InfaRed perimeter fencing, and CCTV, as well as being ISO 27001 accredited
  • Encryption: Osprey is SSL encrypted so your data is protected from anyone who tries to intercept the data on transit

Client Portals

Offering a portal to your clients, that’s fully integrated with your case management solution helps to reduce your reliance on email communications and provide a centralised protected platform to share sensitive data and documents.

Osprey Approach provides a fully integrated web portal and mobile app so you can offer quality client care.

Additional tips to help prevent cybercrime:

  • Within the engagement letter sent to any new clients you should clearly set out that as part of cyber safety measures clients will never be directly contacted by email or telephone regarding bank accounts, change of bank accounts, or any other financial information.  Also provide a senior contact name that your client should speak to if they have any concerns or questions about fraud.
  • Ensure that procedures are in place that certify the entire firm complies with the above
  • Use a password manager to create and safely store complex and secure passwords
  • If cyber safety is taken seriously consider asking your client to break any large transfer into two amounts, sending an initial £1, once that is confirmed the remaining amount can be transferred shortly after.
  • All communications with your client that requests, or contains any sensitive, or financial information should either be via a) secure client portal, b) password protected document such as a PDF, or c) sent via printed and franked letter, never by email or telephone.
  • Use a third party service such as GB Group’s Bank verification service or to validate banks accounts before making a transfer. Never accept changes of banking details at face value and always verify with the relevant parties directly before accepting any changes.
  • Encourage your team to communicate and be open. If they suspect they’ve spotted a potential security risk, ask that they inform you as soon as possible.
  • Consider having an employee fraud training and awareness program within the firm, give regular updates of fraud trends and areas of risk.  The program should focus on compliance, fraud prevention and where responsibilities are held.  The responsibilities should include what to do in the event of suspected fraud.  Adopt security measures from the ground up and ensure all members of staff are part of this process.
  • Consider having a set of fraud mitigation warning flags, and where a transaction falls into the following categories you should undertake additional checks:

– No estate agent is involved in the sale of the property.

-The transaction involves a relative.

-The transaction is under a Power of Attorney.

-The property has recently changed hands.

-The property is funded through other parties.

-The purchase contract involves payments to other parties.

Protect your law firm

By arming your team with the right tools, implementing a secure infrastructure, and encouraging training to ensure everyone takes responsibility for cyber security, you’ll reduce your chances of a data breach.

Start improving your data security as soon as possible to avoid the costly repercussions of a cyber attack and to do the right thing by your client. Lean on the right legal technology to enhance your security whilst also increasing efficiencies and improving the client experience.