Did you know that in Cisco Systems Inc.’s 2015 Annual Security Report, law firms were ranked as the seventh most-vulnerable industry? That’s scary, considering how heavily law firms rely on data, and how heavily their clients rely on privacy.
In a previous blog, we investigated the top cybersecurity threats to law firms. We discussed malicious attacks and points of entry, the greatest of which was malware. The fact of the matter is that your law firm is vulnerable to things like ransomware and spyware, and that it takes more than anti-virus to keep you protected.
When our clients ask us how to best protect themselves from malware, then, we’re always happy to have a discussion about both the technical and the social solutions necessary to keep a firm’s data secure. Below we’ll walk through how exactly malware can impact your law firm, and provide actionable steps for protecting your firm against it.
How is malware putting your law firm at risk?
What exactly is malware, and how can it affect your firm’s data? Here are some quick definitions:
- Malware is actually not a specific threat itself, but rather a blanket term that encompasses any software that gets installed on your machine to perform unwanted tasks for a third party’s benefit. Spyware, viruses, and ransomware are all forms of malware.
- Viruses are types of software that can self-replicate and spread to other computers on your network—hence them being likened to an infection. Viruses are programmed to damage a computer by deleting files, reformatting a hard drive, or using up computer memory.
- Spyware is software that gathers information from your computer, data, and system, and transmits it to interested parties. We’re talking your web history, browser and system information, and IP addresses. Advanced spyware can even monitor your keyboard for any personally identifiable information (PII). For an industry that necessarily deals with privileged information, this brand of malware is quite troublesome.
- Ransomware is a type of software that hackers use to hold individuals’ data hostage until they pay for its release. CryptoLocker, the first form of ransomware, appeared in September 2013 and circulated by way of infected email attachments. Here, your files are encrypted until you pay a certain price—and the only way around it (without paying) is to restore a backup of your data. We’ve seen ransomware hit law firms, and if not for their disaster recovery solution, the consequences could have been devastating to their operations and reputation alike.
The best ways to prevent malware for law firms
Here are a few of the best ways to protect your firm from malware. As you’ll see, not all of these solutions are technical in nature.
- Keep anti-virus and anti-malware up-to-date. Sure, almost all law firms have this software in place. But is it being updated on a continual, consistent basis? Your protection is only as good as your maintenance.
- Keep your operating systems, firewalls, and firmware up-to-date. Are your servers and workstations running operating systems that are still being supported? Is your firewall current? Is everything being automatically updated and patched on a consistent basis? What about your firmware? It is important that these elements stay current to protect against evolving threats.
- Create and enforce password policies. Good, difficult-to-guess passwords are essential to computer security. What makes a strong password? In a nutshell, they (1) are at least eight characters long; (2) include letters, numbers, special characters and capitalization; and (3) are changed infrequently. Create a company policy that outlines these tips, and hold attorneys and staff to it. (Have a fussy partner? Get them a password manager before you let them off the hook.)
- Create and enforce an equipment use policy. Set boundaries as far as what your attorneys and staff are permitted to do on company-owned equipment. To what extent can they use things like laptops and phones for personal purposes? Can they install software of their choosing? Will there be mandatory scans, backups, or encryption? Establish clear rules, and wrap them into your onboarding process.
- Create and enforce an employee separation policy. Is your firm doing anything to ensure that access to your network is effectively revoked immediately upon an employee’s departure? When an employee leaves—whether they’re a partner, attorney, paralegal, or support staff member—this termination policy must be enforced so that disgruntled former employees cannot introduce malware to your system or access confidential data.
- Educate employees: This is the kicker. An essential part of practicing secure computing is educating employees to make smart computing decisions. For example, what would folks inside your firm do if someone called and asked for their social security number? Create regular, security training sessions for your employees that cover security basics, including:
- Avoid clicking on suspicious links in emails
- Avoid going to suspect websites
- Ensure all downloads are automatically scanned by anti-virus
- Create multiple strong passwords—and don't change them too often
- Do not run programs from which you cannot identify an origin
In today’s world, we all must prepare in order to protect our organizations. Once you establish the basics (investing in a robust anti-malware software), create comprehensive policies and user training programs to round out your law firm’s anti-malware efforts.
Beyond that, we also strongly recommend periodic security audits as a way to keep your firm secure. After all, the best way to make sure you’ve remediated all existing vulnerabilities is to have an outside resource actively prod your systems for vulnerabilities. Your provider will run scans, they’ll analyze your existing policies, and they’ll set forth prioritized recommendations to reinforce any weaknesses. (For more on this, check out this article on security audits and how much they’ll cost your firm.)
True, this all is an investment of time (and sometimes money) that you may not feel your firm has to spare.
But think about it: when it comes to the security of your data, what price are you actually willing to pay?