Late last month, UK law firm Duncan Lewis alerted regulatory bodies and the National Crime Agency Action Fraud team that a data breach occurred in their firm. According to a report in the Law Society Gazette, hackers infiltrated the IT system of the national firm to harvest data before attempting to spread data through social media .
Duncan Lewis urged people not to open any links to Twitter accounts that may contain sensitive information as it worked to contain the data breach. To protect their clients, the firm secured a High Court Injunction preventing the use, publication, communication or disclosure to any other person of any information obtained from Duncan Lewis’ IT systems.
Hacking is proving a major headache for law firms and other professional services. In December 2017, London practice Anthony Gold Solicitors was hacked and had to tell people to delete any emails purporting to be from the firm’s address. Some 16,000 phishing emails with malicious attachments were sent under the subject line ‘Action Required – Matter for Attention’.
Then there was the DLA Piper cyber-attack, which ground operations to a halt and cost millions in lost productivity and recovery costs.
The Solicitors Regulation Authority, which receives around 40 reports of confidentiality breaches each month, stresses the importance of running the latest versions of software, in particular, browsers and operating systems, and to keep them up to date.
With cyber-criminals getting smarter and regulatory compliance around reporting hacking getting tougher – the GDPR comes into force in less than a month – here are three positive steps you can take to prevent hackers from targeting your law firm.
One – Never underestimate how smart hackers are
It would be tempting to think law firms like Duncan Lewis, Anthony Gold Solicitors, and DLA Piper were simply lax in their cyber-security. But this is far from the truth. For example, DLA Piper had published a blog advising businesses how to protect themselves from the next devastating ransomware attack just days before they themselves fell victim.
Responsible law firms invest tens of thousands of pounds a year (and the bigger firms far more) on cybersecurity. But the fact is malware attacks such as Petya and WannaCry are designed to exploit certain vulnerabilities. In addition, hackers are increasingly using automated tools to find and attack vulnerable servers .
Two – Identify vulnerabilities, patching the ones you can and noting ones you cannot
WannaCry and Petya both used an exploit known as External Blue to target a vulnerability in the Server Message Block (SMB). Therefore, a top priority for law firm IT staff should be to identify any machines that have port 445 (the port associated with SMB) open and exposed to the Internet and secure them. The same should also be done for port 3389, the port associated with Remote Desktop Protocol (RDP).
A port scanning tool such as Nmap can assist you with identifying open ports within your network.
All the machines across your practice’s network should be patched and up-to-date. However, for multi-national offices, this can be a logistical nightmare. If certain machines cannot be patched or are outdated, limit your risk by reducing their access to certain parts of the network.
Three – Have your data backed up in three copies and two separate locations
This is known as the 3-2-1 backup strategy. One of the data locations should be offsite. Note, this does not mean the Cloud. By doing this, even if one copy of the firm’s data is encrypted and destroyed, there will be a safe copy held offsite which will allow the firm to keep operating.
Final words
There are many other steps to developing and maintaining a robust cyber-security strategy. Training staff to be alert for suspicious files and emails, having an emergency response plan and adequate cyber-attack insurance are also essential in keeping your legal practice and your clients safe from hackers.
The most important aspect of cyber security is keeping up to date with developments and ensuring there are the resources, both financially and in terms of staff, to respond to new threats.
When it comes to cyber-security, times are always a changing…..
We have been helping legal professionals with professional disciplinary and regulatory hearings for over 20 years. If you have any questions relating to cyber-security and compliance, please call us on 0151 909 2380 or complete our Free Online Enquiry and I will soon be in touch.