Lawyer Monthly - December 2021 Edition

46 WWW.LAWYER-MONTHLY.COM | DEC 2021 RANSOMWARE: WHAT CAN BE DONE TO PROTECT LEGAL FIRMS? ransomware attacks before they do any damage. The traditional AntiVirus solutions are no longer enough. Firms should also use two-factor authentication. This is one of the most effective ways of protecting against ransomware and security breaches. Third parties may be able to steal a password, but they cannot get access to systems without using a known device. Finally, firms will need a system that continually looks for suspicious behaviour (a Security Information and Event Management System or SIEM), and a team that can take any alerts and respond to them accordingly ( Security Operations Center or SOC). These are the last steps and can be expensive, so firms should really make sure that they have covered the basics before looking down this road. How can firms decide how far to take IT security? With cyber-attacks ever-present, firms must really understand all the risks they face and what the likelihood of those risks being exploited is. The question is, how can this be done? Law firms need a system or a framework in place. Too many organisations think they have Cyber Essentials and believe that this covers all aspects of cybersecurity. However, the Cyber Essentials and Cyber Essentials Plus certifications only represent the most basic level of protection. Implement a rigid patch management policy While many businesses patch their systems to fix security vulnerabilities on a weekly or monthly basis, this simply is not enough. IT teams need to continually be alerted of new and emerging threats, or rely on specialist IT security partners to deal with these dangers with urgency. Managing employee threats Again, staff can often be the weakest link, and there are critical measures that firms need to put in place to protect themselves. As a minimum, employees should be given the training they need to spot suspicious behaviour online. But there is more that firms can do. Many allow their staff to connect at home or other locations such as coffee shops and hotels, often over unprotected networks. Controlling these risks via a VPN solution is critical. Others may allow staff to plug anything into a work computer, such as USB drives. Do not forget that for decades computer disks were the primary way for viruses to get onto IT systems, and this risk has not gone away. It is important that USB ports are locked down to only known IT-approved devices. Creating robust security barriers Other ways in which law firms can create barriers to deal with security threats include having an advanced email security protection system in place, to check both links and attachments from emails, and Next Generation AntiVirus, which can spot Have a robust framework The only way a firm, and particularly the leadership, can get a grip on IT security is to work to a governance level – to implement an Information Security Management System (ISMS). An ISMS, such as ISO 27001, will give law firms a detailed understanding of their risks and how to control them. This should also extend to third parties, as accountability cannot be outsourced when it comes to risk. Those with an ISMS are already doing the right thing from a leadership perspective by ensuring they know their risks, know the control measures in place and continually review them. They are able to make a call about what they need and want to put in place – based on real knowledge. Ultimately, the firm’s board will be responsible and accountable for the security of their firm, and so it is crucial that to understand the role they play in order to act more efficiently. Together, all these measures will form a robust defence and continual improvement operation for any law firm, ensuring they can defend themselves and respond to security incidents as well as the growing threats they face. Robert Rutherford is an IT industry leader with over 24 years of experience working with IT and business systems. He leads QuoStar by providing strategy and vision for the business whilst also remaining active with clients, providing insight and solutions for their various business challenges and opportunities. David Clarke is a veteran cyber-security consultant with over 25 years of experience in the sector. He has worked with clients ranging from SMEs to the FTSE 100 and previously held Global Head of IT Security roles at BT and Radianz, during which he was responsible for managing the security infrastructure and delivery of ISO 27001 for multi-billion-dollar environments. QuoStar is a full-service IT provider that delivers fully managed IT support, consultancy, co-sourcing and cloud services alongside a range of other offerings for businesses with 30 to 300 staff. QuoStar has a track record of helping mid-sized law firms to grow and gain a competitive advantage by delivering specialist IT support, consultancy and security services in the sector.