Brodies recently hosted an International Legal Technology Association (ILTA) seminar focussed on cybersecurity and risk reduction for law firm technology leaders. As we enter CyberScotland Week, here, we summarise the key takeaways for law firm technology professionals to ensure resilient data security.
The session started with some hard-hitting facts by presenter John Anthony Smith, founder of Conversant Group, which supports businesses to protect against cyber attacks via the Grypho5 and Athena7 battalions and provides post-breach response services via the Fenix24 battalion. John explained that the likelihood of a cyberattack for businesses is a case of "not if, but when", with a cyber-attack occurring every 14 seconds and the average cost of a ransomware attack being $5.13m.
While acknowledging the inconveniences of introducing further security measures to firms, the importance of these measures was repeatedly emphasised and set against the impact of attacks and the cost of not protecting the firm adequately.
Immutable backups are the most important security control
Securely backing up all data in an "air-gapped" physically and logically separate location prevents it being encrypted or deleted by attackers, and ensures your firm can recover its data after a breach has occurred.
Simply replicating data to separate availability zone [in Cloud] or a third-party cloud is not sufficient to protect data. Such data could still be accessed by hackers and destroyed if not securely protected, and Software as a Service providers often don't back-up your data, they only store and replicate it. Meaning that if their service is compromised you have no way to recover it. Once a ransomware attack has occurred, even where the ransom has been paid the chance of getting all of your data back is slim: decryptors (which the hackers, in theory, provide when the ransom is paid) are only 60% effective on average. So a firm could pay millions in ransom and still not get all its data back. Backing up data properly is crucial to ensure companies can continue to operate after a breach has occurred.
Better password hygiene
Companies should remove password caching mechanisms on devices and require sixteen-character passwords. Long and strong passwords are orders of magnitude stronger than eight-character passwords, for example, which can be cracked in under one millisecond. The longer the password, the more difficult it is for malicious tools and actors to guess your password by trying randomised letter, word, and number combinations and compromised hashes/passwords. If possible, passwords should also be rotated at regular intervals.
Passwords that have been stolen are often sold on the dark web after a cyber-security breach has occurred. The dark web is used to describe a less known part of the Internet used for primarily for criminal activities. Organisations should use tools to sweep the dark web looking for compromised passwords that are in use in their systems and require users using those passwords or hashes to change their passwords immediately.
Operate under the assumption that all external software is unsafe
Firms should assume that all software is risky until proven otherwise and that outsourcing a system or service does not outsource responsibility for the data. Hackers often access data via third party platforms and the data controller will ultimately be held responsible for a data breach even if they are not directly at fault. It is recommended that businesses choose one tool for their particular requirements and block all other tools to minimise the risk of a cyber-attack through those other platforms. For example, remote access tools to allow the helpdesk to access the organisations devices, or password management tools. Thoroughly reviewing suppliers and their data protection measures prior to entering a contract with them is also recommended to ensure that they are adequately protected against cyberattacks.
Block access to personal email services
Employees should not be able to access their personal email accounts on work related devices. This presents a further risk to data if employees personal accounts (which often do not have the same security protections applied as work devices) experience a cyber-attack.
The importance of good cyber security cannot be overlooked. Safeguarding digital data sets is not only a responsibility under UK Data Protection law, but there is the potential for significant reputational risk if data is not protected sufficiently. A robust cybersecurity strategy not only implements the above recommendations to improve the resilience of a company's systems against any cyber-attacks, but also encompasses a clear response in the event of a breach.
Cyber risk is an ongoing challenge for professional services firms. If you are interested in any of the above topics, please join us on Thursday, 29 February for our CyberScotland Week event, "Managing Cyber Challenges in the Professional Services Sector".
Contributors
Partner
Innovation & Technology Director
Associate
Trainee Solicitor
Conversant Group