LSSA gives law firms tips on fighting cybercrime

Keeping law firms and client funds safe from cyber criminals

Craig Matthews and Adrian Jones from the Legal Software Suppliers Association outline some of the risks from cyber criminals and give helpful tips to lawyers:

Cyberattacks can take many different forms.  The most complicated, those that make headline news, normally involve direct hacking attacks of government or large corporate networks to either disrupt their business or simply to add the scalp to the hacker’s resume.  These attacks are often very complicated and involved.  Highly talented software engineers will work their way through the very best firewalls and intrusion detection applications available not to mention all the other security modules these firms will have deployed on their network.  The reason these attacks are deemed news worthy is that they are relatively rare, but often involve private individuals or companies being defrauded of large sums of money. The most frequent cybercrimes, phishing scams, are conducted through, in relative terms, simple methods and happen all of the time.

Phishing scams are designed to convince the end user to provide the hacker with their username and password so the hacker can gain access to their PC, network or email account.

It is more likely that you or a member of your firm will fall foul to one of these phishing scams than a full scale hacker attack.  You of course must still ensure your firewall, intrusion detection application and other hardware and software security devices are properly maintained, up to date and appropriate for the risk profile of your firm, but even the most complex security designs can be breached if a user unwittingly gives their credentials to a hacker.

So how can you avoid falling foul to a phishing scam and how can you mitigate against cybercrime?  The key is education.

In this article we look at how your firm can adopt better password protection and avoid members of staff giving out their credentials unwittingly and we look at how you can adopt new or adapt your current business processes to add extra layers of protection and security when dealing with your clients without over complicating your processes and make them unwieldy.

Following the simple lessons below could greatly assist in reducing the likelihood that your firm will fall victim to a phishing scam or password theft.

Managing your credentials. Don’t give them out. The simplest way to for a hacker to break into your computer system is with your credentials.  Never provide your credentials to a third party.  No reputable firm will ask you to disclose your username and password to any service they provide and most certainly would not ask you to disclose your username and password to any services they do not provide.

Don’t log into any web sites or portals unless you know and trust them. Often phishing scams will involve the victim receiving an email with an attachment.  Upon opening the attachment the victim is asked to enter their username and password to download the contents.  Don’t!  You should never need to enter your credentials to download an attachment sent to you.  If you are at all in doubt contact the sender to verify the contents of the email.  If the attachment is particularly sensitive we would recommend asking the sender to upload the document to a portal or deal room site and provide you with access to it rather than sending it via email.

Don’t save your passwords. Most web browsers will ask you if you want to save your username and password.  Don’t!  Saving your credentials to your web browser will mean that anyone who gains access to your machine can gain access to all of the applications you use.  You can also see a list of all usernames and passwords saved on the web browser in plain text.  We recommend that you turn the save password or remember password setting off on all devices and all browsers.

Don’t write your passwords down. Whilst you may not be giving out your credentials writing them down and sticking them to your monitor is equally as risky.  Whilst we all trust our fellow co-workers you may have third parties walking through your office and any of these could see and make a note of your password.  Not writing down your username and having just your password on show is no less of a risk.  Most corporate networks and email accounts will follow the same pattern meaning that if someone has your password they can easily guess your username.

Use strong passwords. A great number of computer users still use weak passwords.  Just as a hacker with your password can guess your username, a hacker with your username can guess a weak password.  Your password should be at least 8 characters long and should contains a mixture of upper and lower case letters, numbers and special characters.  Your initials and date of birth, whilst it may meet the minimum security requirement, is still a weak password as it would be easy for anyone who knows you to guess.  The more obscure your password the better.

Change your password. If you are given a password the first thing to do is to change it.   You immediately reduce the number of people who know your password to just one person.  You should also frequently change your passwords.  Approximately every 45 days is a sensible time frame.

Use different passwords. It can be difficult to keep track of your different passwords for your different applications however this shouldn’t prevent you from having a different password for each application.  If you were to ever unknowingly give out your passwords or have your account hacked far less harm will be done if the hackers only have access to one account and not all of your accounts.

Ensuring your staff understand the risks in providing their credentials to even trusted third parties and by following the rules above you will greatly reduce the likelihood that your firm will become a victim of cybercrime.

Keeping your passwords safe is of course not enough on its own.  Educating your staff about the risks throughout a transaction and adopting either all or elements of the process below will also greatly reduce your risk.  Taking extra steps at appropriate times throughout a legal transaction can make a major difference as to how likely you and your firm will be subject to cybercrime.  At engagement, when money is first exchanged and at each subsequent exchange, when confidential information and documents are shared and at various other stages using simple to follow procedures and educating your staff as to how they must operate may very well save you and your firm from becoming a victim.

Tips to help prevent cybercrime: