In recent years, cyberattacks against law firms have managed to mostly slip under the radar. Even reports of the Panama Papers breach, which garnered international attention, downplayed the cyberattack aspect of the scenario.
Nevertheless, law firms are regularly targeted by cybercriminals just as much as other industries. According to The American Bar Association, 25 percent of law firms with 100 or more employees have experienced cybercrime. As the size of the law firm increased, it would seem that the likelihood of a hack is greater. Most of the 100 largest law firms in the world have been breached to some extent, according to Bloomberg Business.
In light of this, here are a few simple, but effective methods that can enhance law firm cybersecurity:
The reason law firms are appealing targets is because they house large quantities of sensitive information pertaining to their clients. These clients may be in any number of industries. This means that hackers aren’t necessarily trying to bring down a law firm, as much as they might be going after a client.
As such, there is a responsibility among law firms to protect their data with strong encryption. The basic concept of encryption is that the raw data is essentially turned into a cipher that can only be understood with a certain digital key. This length of this key will ultimately determine how strong the encryption is. This is important, as it can dictate how long it would take hackers to decrypt the sensitive information.
Strong Public Key Infrastructure (PKI)
Strong encryption of sensitive data is a good place to start, but it’s often not enough on its own. According to TechTarget contributor Margaret Rouse, the quality of public key infrastructure (PKI) is just as important, if not more so, than the type of encryption used.
This is because encrypted data and the corresponding key could, in theory, be shared or taken by a hacker claiming to be someone they’re not. PKI solves this problem in an elegant way. Rather than authenticating the person on the other end, PKIÂ authenticatesÂ a digital certificate issued by a certification authority. If the user does not have this certificate, there is no way that he or she can access the data in its unencrypted form.
This methodology is what allows web servers to communicate with browsers securely, ensuring the security of e-commerce and other web traffic. When applied to a law firm’s network, it helps to ensure that the only people who can access data are those that have the proper digital certificate enabling them to do so.
Hackers don’t necessarily have to steal a law firm’s encrypted data to cause harm. Sometimes, they can extract information from communication portals, for instance, by hacking an email account. One of the common ways that this is achieved is through phishing scams.
Phishing scams spamming email and other electronic communications with the hopes of getting a user to download certain malware, or unknowingly divulge login credentials. For instance, a seemingly harmless PDF file could actually be a nasty strain of keylogger malware designed to track keystrokes so as to steal a password. Once this password is stolen, hackers may be able to dig for the information they’re looking for.
One solution that can be helpful to guarding email and other private accounts is two-factor authentication. Rather than requiring a single password for account login, users would have a second verification request sent to them via text message. This might be a one-time password that the user must input to login, or it could be a click to confirm the login attempt.
Much like the use of digital certificates, 2FA ensures that hackers cannot log into the account without the corresponding mobile device. Even if keystroke malware was able to extract a password and account name, it wouldn’t be able to make it past the second layer of authentication.
The goal of cybersecurity should ultimately be to cover all of your bases. Strong encryption, trusted PKI and layered authentication are great places to start for law firms interested in bolstering their cybersecurity strategy.