Lawyer Monthly - December 2021 Edition

45 DEC 2021 | WWW.LAWYER-MONTHLY.COM RANSOMWARE: WHAT CAN BE DONE TO PROTECT LEGAL FIRMS? data – including client data – onto the dark web. In that situation, a firm may be able to get operational again, but the real damage has already been done; the lasting impact goes far beyond simply paying a ransom. Data can be spread globally for anyone to access, meaning firms have to let clients know that their information is ‘in the wild’, that other parties can access it and can, in effect, use that information to do much greater damage. This can seriously hurt the reputation of the firm and those they work for and with. Regulators, too, will compound that damage and ensure that firms comply with protective measures. Law firms are now looking at huge fines from these industry bodies, such as the Information Commissioner’s Office (ICO) and Solicitors Regulation Authority (SRA), if they do not have the right security controls and governance in place. Do not take a siloed approach Too many firms still deal with risk and IT security as separate entities. They often leave the responsibility of being secure from cyber-attacks to their IT team, but this approach will not bear scrutiny from regulators, clients or the media. Risk is a much broader responsibility, and it is not something that should rest entirely with IT. Of course, the IT team does play its part, but like every important functional operation in a firm, governance is key. Thewhole firmneeds to be aware of its own role in controlling risk, especially as most IT breaches come from employees doing something they should not. The biggest threat to a firm’s security can, more often than not, come from something as simple as someone unsuspectingly clicking a link in an email, or giving information out over a phone. Other major risks to a firm’s security come from potential vulnerabilities within IT systems that face the internet, including those run internally and through third-party electronic links into a firm, such as partner organisations, cloud providers and website hosts. Every one of these links to a firm poses a risk, and they must be evaluated and tested. As a result, law firms should exercise penetration tests to ensure their own systems are effective. They must also look to their external relationships with third parties to ensure that these partners also have effective security controls and governance in place. How can a firm deal with security threats? Where ransomware is concerned, there are basic measures that should be in place to ensure firms have controlled the bulk of the areas of risk. Eliminate air gaps in backups Ransomware attackers are focused on encrypting data, which could take a business down for several days. Organisations should therefore ensure backups are not located on the same network (local or wide area) as their data, as this could leave a firm with no chance of recovery. Ransomware is the largest and most prominent risk that law firms face today.