Working from home
By Joanne Hunter, Select Legal Systems Limited. June 2020.
When the Prime Minister spoke to the nation on 23-3-20 instructing us all to work from home if we possibly could, people all over the country, in their millions, were forced to very quickly set up virtual offices in their living rooms, kitchens and bedrooms. Even those members of staff that none of us ever anticipated would need to work anywhere else but the office, have in fact, overnight, been set up for home working too, across all sectors. Some were more prepared for this than others, but on the whole, law firms seem to have found the transition relatively straight-forward, because those with good practice management software providers have had homeworking options available to them for many years.
With homeworking happening on such a mammoth scale, many Managing Partners will now, I’m sure, be breathing a huge sigh of relief because they’ve achieved homeworking for so many of their staff, so quickly with relative ease. However, don’t breathe too soon! What law firms now need to think about now, and urgently, is their cyber security, and how they can ensure the people they have set up at home are working just as securely as they were when they were in the office.
Due to the nature of their work law firms are obvious targets for cybercriminals. With so many workers accessing systems from home, cyber threats for law firms are heightened many-fold.
Here are our top eight security tips for any law firm that has staff working from home.
1. Put A Reporting Mechanism In Place For Your People
Make sure staff know how they can officially report any security concerns or problems they have whilst working from home, so that your IT Support are fully aware of any potential threats to the business.
People who don’t work in IT may not realise the significance of a cyber threat, and if you don’t make lines of communication available to them so they are able to report their concerns, they may not alert the right people promptly enough, which could have a detrimental effect on your firm’s cyber-security.
2. Ensure Everyone Has Strong Passwords & Two-Factor Authentication
Review your practice-wide password policy to make sure everyone in the business is setting strong passwords and using 2FA (two-factor authentication) wherever relevant. The National Cyber Security Centre advocates using three random words for your password(s), for example 3redhousemonkeys27!
People should choose random words that are memorable only to themselves, but that other people cannot guess. Social media accounts can give away vital clues, so your people need to think about this when setting passwords. Many of us do this unwittingly every day. Chances are your passwords, or clues to them, are plastered all over your social media posts without you even realising it. NEVER use the following personal details for your password(s):
• NEVER USE your Partner, children, family, pet names or nick names!
• NEVER USE your place of birth
• NEVER USE your favourite holiday destination
• NEVER USE Words relating to your favourite sports teams
Cyber criminals know all the tricks of the trade, so using simple substitutions such as ‘Pa55word!” for example is something that should be avoided by all staff whether working from home or the office. There is lots of excellent advice on the National Cyber Security Centre website about passwords and Two-factor authentication – https://www.ncsc.gov.uk/
3. Keep All Devices Safe
Across the country home workers are using a combination of their employers’ devices (PCs, laptops etc.) and their own personal devices (laptops, phones, tablets etc.) for home working. Either way you need to make sure your staff understand the risks of using devices outside of the office for work purposes.
Firstly all devices used for work, wherever they are, should be running the most recent software for both operating system and applications, including anti-virus software of course.
Make sure your people know what you expect of them in terms of keeping their devices safe whilst away from the office. Also they need to know what you want them to do if their device(s) is ever lost or stolen. Reporting lost devices as soon as possible will help your IT people to keep your firm safe.
4. Switch On Encryption
Devices are more likely to be lost or stolen when you have staff set up for home working.
Most modern devices have encryption built in, but it may need configuring or switching on.
Ensure all devices that are being used at home by your workers are set to encrypt data while at rest.
5. Use Mobile Device Management
It’s a good idea to set up all your home working devices with a standard configuration so that your IT people can lock them or delete data from them remotely, using MDM (Mobile Device Management).
6. Have A VPN In Place
Having a Virtual Private Network (VPN) in place provides an additional layer of security for home workers accessing your firm’s IT resources – e.g. your practice management system, your email system etc. If you are already using VPN, make sure it is fully patched. You may need extra licences, capacity or bandwith if you’re supporting more home workers.
Your users should avoid using free WiFi hotspots without using a VPN to ensure your/their device’s traffic is encrypted and harder for a cyber-criminal to intercept.
LAWFUSION Direct users (our hosted solution for law firms on the LAWFUSION Cloud) is fully patched and optimised. If you manage your own IT infrastructure inhouse it is worth checking.
7. Empower Your Staff To Spot Scams, Risks & Threats
Make sure your staff understand the risks of clicking on links and attachments in digital correspondence. For instance people should be wary of emails and text messages that contain links and attachments. Users should avoid clicking on either unless they are absolutely sure of the validity of the sender.
Sophisticated cyber criminals prey on businesses and individuals every day, and Covid-19 just gives them another opportunity. Coronavirus scam emails are doing the rounds some encouraging people to donate to help our doctors and nurses, others offering fake news about cures, vaccines and maps. Scam links of this nature will send your users to dodgy web pages that could download computer viruses or steal your passwords that could put your whole business network at risk. Law firms need to alert home workers (and office workers) to the additional risks, and remind them to take care.
Here are two examples of scams doing the rounds currently:
Fraudsters are targeting users working from home to invest in bitcoin. They are telling victims they can help fight Coronavirus if they do so. You might think your staff aren’t so gullible to fall foul of such a scam, but these cybercriminals are very convincing and highly skilled in the art of persuasion. You’d be surprised.
This map is from a malicious site disguised as a genuine news site. It shows a map highlighting hotspots for Coronavirus cases, but the site infects visitors with the AZORult Trojan malware which steals sensitive data. According to the Yorkshire & Humber Regional Organised Crime Unit it is being spread by email attachments, online adverts and social engineering.
Please make sure your staff are absolutely clear that they MUST NOT CLICK ON LINKS OR OPEN ATTACHMENTS WILLY NILLY. For genuine information about the pandemic they should go only to trusted resources such as Public Health England and the NHS.
The National Cyber Security Centre offers free cyber-security training for UK companies online here: https://www.ncsc.gov.uk/blog-post/ncsc-cyber-security-training-for-staff-now-available
8. Don’t Panic!
If you, or a member of staff, have already clicked on something suspicious – try not to panic!
The first thing to do is let your IT support know and then open your anti-virus software and run a full scan, following on-screen instructions. This should pick up any real threats. Liaise with your IT support about the results of the scan.
If you’ve been tricked into sharing your password, you should change your password immediately, and to make doubly sure change your passwords for all your other accounts.
Again liaise with your IT support about what’s happened.
If you have lost money – you should report it as a crime to Action Fraud (www.actionfraud.police.uk).
Keep your IT Support in the picture.
Select Legal Systems Limited, authors of the leading suite of legal practice management software – LAWFUSION is an ISO information security certified company. The company is also certified for the Government’s Cyber Essentials Scheme.
For more information about Select Legal Systems Limited or LAWFUSION please call us on 01482 567601 and the members of Team LAWFUSION (who are all currently working 100% from home) will be there to help you, during office hours. Before 9am, or after 5.30 pm, please contact us via our online LAWFUSION Enquiry Form here.