You’re Spending Money in the Wrong Areas of IT Security


We are in the digital age. The cloud and software as a service (SaaS) deployments are common talk and more enterprise data is being created, transported, processed and stored outside of corporate network boundaries. This makes traditional security controls – perimeter-based – and legacy network and endpoint solutions less relevant.

Statistically, small businesses are experiencing 50% of the cyberattacks that are occurring today. That is HALF of the cyberattacks that occur! The types of cyber breaches and attacks range from ransomware attacks to spear phishing emails. Currently, a business falls victim to a ransomware attack every 40 seconds in 2017. Cybersecurity Ventures predicts that will increase to every 14 seconds in 2019. What is to stop someone from reaching you and your firm?

Oh, But You Already Have Some Security…

Your firm has done some planning and worked with your IT team to spend some money on some security. Did you cover all of your bases – from preventative testing to proper insurance? Have you revisited your policies and procedures recently?

Today’s enterprises are rapidly adopting cloud and hybrid infrastructures, new styles of working, and new ways of connecting remotely. Traditional network perimeters secure only the ingress and egress points of the company-managed network. Antivirus, next-gen firewalls, and VPN aren’t enough to thwart attacks on the modern enterprise. Modern enterprises need to define a new perimeter based on the identity that secures company resources that are located anywhere; including users, devices, apps, data, and infrastructure.

It is more commonplace to email and respond to colleagues and clients from your personal cell phone while traveling or be doing your work from home. Does your firm have safeguards place for these technologies? Are you spending money in the right areas and have you tested your security to see if it is fool proof? Many firms do not know all of the ways that their employees access their documents. Tablets, mobile devices, on public or private WIFI, using or not using VPN – these are just a few of the different way we stay connected, and how hackers can tap into those connections.

Employees Are Your Biggest Cybersecurity Threat

As employees use these various devices outside of the office or opt to not take precautions advised from your IT team, they are opening up avenues for potential cybersecurity breaches. Yes, you may have policies and procedures in place like:

  • Employees must change their password every 90 days;
  • VPN networks are on each computer to be utilized to access local drives;
  • Don’t send client sensitive data in emails.

These are all important, but does your firm know why it has been put into place? Writing and implementing policies and procedures is the first step. Followed by a close second of educating your employees. All it takes is one mistake that could lead your firm into a cyber breach.

Many firms allow email and communication to take place on personal devices (phones, tablets, etc.). If that is the case, it is important to take the necessary precautions to protect those pieces. That can be a big threat to your firm. Are you able to immediately wipe clean a device of email and firm materials in the event of an incident such as a hack or the device is lost or stolen?

Executive management is seen as the second-most-risky insider, followed by ordinary employees and contractors, according to the 2017 Thales Data Threat Report.

So How Do You Know If Your Security is All Beefed Up?

There are a few ways that your firm can test to see if they have enough security in place. Two types of assessments are vulnerability assessments and penetration assessments. Don’t be confused. These two are not the same.

A vulnerability is a weakness or ‘hole’ in a computer system, that the developer did not intend to create. This allows an attacker to gain unauthorized access to the system. If left unfixed, these holes provide an opportunity for outsiders to exploit the system, alter performance or steal your sensitive data.

A vulnerability scan is an automated, in-depth test that looks for known vulnerabilities in your systems. Once weaknesses are identified, it then ranks how critical they are in terms of how likely they are to be exploited.

Penetration assessments simulate a real-world attacker which takes actions on external and/or internal systems with the goal of breaching the information security of your organization. Unlike vulnerability assessments, ethical hacking takes into account mitigating controls and the potential impact of a vulnerability. The human factor, also known as “social engineering”, pieces together identified vulnerabilities in order to understand the potential impact of those vulnerabilities, diving deeper into the environment – past the one layer of your systems security!

It is ideal to have both of these done. Not all those who perform penetration tests are doing so the same way, thus it is recommended to have your systems tested annually for new vulnerabilities.

But why are law firms at risk?

Typically, law firms have not been sophisticated in ensuring they are protected from cyber risk. This is because it costs a great deal of money to ensure cyber risk is controlled correctly and many small and midsized law firms have not been particularly keen on investing in protecting against it. And attackers know and understand this.

 


“Everyone has a plan until they get punched in the face”
Mike Tyson

Cybersecurity is not an IT problem, it is a firm problem. Most enterprise risk management tends to be specialized. The finance department handles financial risks. The legal department handles legal risks. IT handles IT risks. Digital risks span all of those various risks. When determining a plan of action, include various departments as it is important that all areas are in the know and are covered.

Law firms are the keeps of confidential information, from client’s revenue to their personally identifiable information (PII) like social security numbers and addresses. Cyber attackers want to capitalize on the weaknesses of law firms. They will always find the course of least resistance into your protected networks and resources. Research has shown that the weakest point is almost always your users and their credentials. This goes back to the beginning – employees pose the biggest threat.


The American Bar Association’s 2017 Legal Technology Survey Report found that 22% of respondents experienced a cyberattack or data breach at some point, an 8% increase over the previous year.

Let’s Fix This!

Hacks can cost your firm large sums of money and your firm’s credibility. To make steps toward being protected, spending money on the right areas of IT security is key.

  • Have a vulnerability test and penetration test done annually;
  • Implement an incident response plan and team that meets regularly;
  • Use encryption wherever you can – email, folders, mobile devices;
  • Train your employees to know and understand what these policies are, why they are in place and what to do in the event of a data breach or an attack;
  • Appoint a Chief Information Security Officer (CISO) to establish and maintain the enterprise vision, strategy and program ensuring your information and assets are protected correctly;
  • Solicit board level involvement to keep everyone on the same page;
  • Purchase the right cyber insurance – cyber insurance is not created equally. Do your research and understand what this insurance is covering prior to purchasing it.

It is not a question of if but when a cyber-attack will happen, and law firms are no exception. Investing now with these breach cost reduction tips will save you in the long run.

Ready to talk to someone more about your firm’s cybersecurity? Withum’s Cyber and Information Security team is able to help put your firm in a position of cybersecurity strength! Fill in the form below to request a consultation with our experts.

How Can We Help?

Previous Post

Next Post