Cybersecurity for start up law firms

With advanced digital technology and platform becoming readily available and used by companies of all size, including startups, the risks associated with cyber crime are high and cannot be ignored. All companies must take steps to protect their clients' data and ensure compliance with relevant laws and regulations.

Share this post

A dangerous assumption that we hear often is “I’m just a small company and I’m not a target, so I can afford to take risks.” This is not true. Most successful cyber attack starts out as an indiscriminate campaign targeting any vulnerable systems they find. These campaigns typically look for technological weaknesses and inexperienced users. They succeed against companies of all size.

Start-ups often face three common challenges. They rarely consider security when configuring their technology and digital services. Their priorities are usually convenience and usability. Second, there is no attempt at educating founding team members and early staff members on operating securely in a digital world. And finally, there are no policies or governance in place to document intent and manage risk. Here is some simple guidance based on our experience.

Top tips for startup law firms:

  1. Set up your laptop. Getting this wrong is the most common mistake which can lead to a successful attack. Your laptop needs to be set up by a security expert. The configuration requires you to cover encryption, firewall configuration, user privileges and automated updates.
  2. Email security configuration. The most common attack on legal firms takes advantage of poorly configured email platforms. You need to prioritise setting up the right controls, filters and alerts so that you don’t become a target for cybercriminals. You will usually need to pay a small monthly fee for the business version.
  3. Domain record settings. To reduce the risk of criminals spoofing your email address or faking your website, there are 3 controls that must be set. The attack here is when the clients’ own emails get hacked and the criminals discover a legal transaction. They can then pretend, very believably, to be you.
  4. Authentication rules. Usernames and passwords are often stolen. There is a succeeding market for these on the dark web. Start by using strong password policies and then add another layer of security through two-step verification – fast becoming a minimum standard for insurance purposes.
  5. Data policy. Manage your data footprint. You need to do this to be legally compliant for handling personal data, as well as to minimize the opportunity for criminals. Writing a policy will help set some rules. We find data on mobile phones, in personal drop-boxes, on household computers, etc.
  6. Culture. Find some good cybersecurity training and make sure all staff complete it on an annual basis. This is a minimum requirement.
  7. Anti-Virus Software. Pay for a good antivirus package. Make sure it is on every device you operate from and that it is checked bi-annually.
  8. Back-up and storage. You need to get this professionally set up. This is frequently done poorly, which means that it wouldn’t survive a ransomware or malware attack and you will lose everything.

CYBER SECURITY UPDATES

Sign up for the latest advice and information about keeping your business cyber secure.

Share this post