The Law Firm Security Checklist - Part 1: stopping an attack
Law firms are under attack. Every day, firms are dealing with attacks that post their client data to the internet, or still struggling from all the fallout ($100m+ worth in this case!) of a breach.
While there is no way to prevent attacks, there are many things you can do to:
Reduce the likelihood of a successful attack
Minimize the damage from an attack
Simplify recovery and consequences
This article series will cover each of these points in its own article.
Reduce the LIKELIHOOD of a successful attack
Many of these solutions are free (excluding time and expertise) or cheap options to substantially increase your security:
Multifactor multifactor multifactor - so many firms still do not have multifactor authentication (MFA) in place. MFA should be securing all your external access points at a minimum - VPN, email, document management and any other applications. Over the past few weeks of the Covid crisis, we have received weekly calls from firms who experienced security issues. One universal fact was none of them had multifactor deployed.
According to Google, MFA can stop 100% of automated attacks. Those are odds you can afford to purchase for as few as $3/user/month with Cisco’s Duo.
Take things one step further and embrace a zero trust model. Any access, even from a trusted device within the network, still requires a multifactor confirmation. Did you know at CGP it takes us 3x MFA prompts to access a client network from when we sit down at our desk?
Which brings us to another point - ensure your vendors have good security in place. Did you know the 2014 Home Depot breach happened via a vendor’s access? One common saying is your biggest security risk is your employees, but its just as likely to be due to vendors. This goes double for IT vendors who often have administrator access to your systems. If your firm runs a Windows environment, you can set expiration dates on accounts, so that practice management vendor only has access for the six months they need to migrate their product, after which their account is automatically shut off. If they go over their time budget (because that never happens, right?!?), you can simply re-enable the account for a new, shorter period of time.
Leverage best in class email security, and with multiple layers. Even though we use ProofPoint (see left side graphic - industry recognized best in class spam filtering), we still pair it with IronScales, an AI powered anti-phishing system, and other systems. Why? Security is best in layers, especially when those layers are the best technologies available. If it even stops one successful breach, the cost was easily worth it.
At some point, no matter how many defenses you have, something will get through. Wire transfer fraud is a common attack, this is where hackers redirect payments (typically via impersonating an executive, client or vendor) to their own bank accounts. While the above systems are able to stop a lot of them, they are not bullet proof, and often times you may come under attack through someone else’s compromised system, such a vendor’s email. You should always require multiple methods of confirmation to prevent fraud. This includes client payment and employee payroll changes as well. Have a clearly defined firm policy that requires communication via two methods (ex: email plus call), with zero exceptions. This helps prevent the bulk of wire transfer fraud, and is commonly required by your cyberinsurance policy as well.
Coming soon we’ll proceed with part two of this series, covering
Keeping your client audits streamlined and staying compliant.
Why EDR is a critical part of your security strategy.