1.It Will Never Happen To Us
Cyberattacks are something many legal professionals don’t consider; they read about it happening to others, but why would their firm get attacked? The reality is, unless adequate countermeasures are in place, every law firm is at risk.
Cybercrime is no longer the preserve of computer “geeks,” operating from their bedroom and causing some havoc for a bit of fun. Today, cybercrime is organised and often sponsored by rogue states or influential criminal organisations.
The information your law firm holds on clients or companies is valuable, and plenty of people could benefit from accessing it. Even though your company may not have been specifically targeted, the potential to exploit something appeals to hackers and cybercriminals.
They will use sophisticated automated attack techniques, including AI. These weapons can monitor your online activities, waiting for an opportunity to exploit. It is too late to get your defences in place when an attack occurs. Therefore, don’t assume cyberattacks only happen to others.
2. We Have an IT Department, So We are Covered For Cybersecurity
Assuming your IT department has covered you for cybersecurity is possibly the most dangerous misconception. Even if some of your IT support staff have the required cybersecurity skills and experience, they are not the right people for the job.
Firstly, having your cybersecurity team mark their own homework is never a good idea. Secondly, IT support and cybersecurity are two significantly different disciplines. Therefore, you should not expect your IT staff to know everything a cybersecurity expert would.
For instance, your IT support staff are unlikely to know how to do the following aspects of cybersecurity:
- Defence configuration.
- Latest attack vectors.
- Penetration testing.
- Vulnerability assessment. Legal and regulatory requirements.
- Risk assessment and documentation.
- Staff training and testing.
- Governance.
- Drafting a staff cybersecurity handbook.
- Risk management framework implementation.
- Record keeping.
3. Penetration Testing is Sufficient
Even if your penetration testing is effective, it is unlikely to be sufficient. Indeed, many legal firms pay over the odds for penetration testing. Also, it is generally only used within a defined scope and one aspect of technology.
Rather than assessing and addressing a law firm’s business risks, penetration testing usually only informs you whether a tester was able to breach defences. A thorough vulnerability assessment requires a broader approach, investigating aspects such as:
- Access controls.
- Remote working arrangements.
- Data transfer.
- Mobile phone security.
- Back-up configurations.
However, penetration testing only provides a technical report without prioritising its findings within a business context. Neither does penetration testing offer any help with cybersecurity training or governance.
4. Badges Provide Protection
Achieving badges like Lexcel or CE doesn’t mean you have any defence against cyberattacks. Lexcel is a practice management standard, and CE is awarded in response to achieving five basic technical levels. Neither provides adequate cybersecurity and relying on either is inviting a security breach.
5. Using the Cloud Makes You Secure
Another common misconception is thinking the cloud provides total security. This is certainly not the case. If you outsource your data storage to the cloud, you rely on the cloud providers to keep you “safe.”
Even if your providers are tight in their cyber, you still need to ensure your procedures are in order. For instance, access controls, collaboration arrangements, how you transfer data, etc. Law firms that use the cloud often fall into a false sense of security, leaving them more vulnerable.
6. Off-the-Shelf Security Works
When it comes to cybersecurity, there is no one-size-fits-all solution. Therefore, purchasing an off-the-shelf cybersecurity training package is generally ineffective.
Of course, it demonstrates an attitude of doing something proactive about cybersecurity. However, your efforts will generally be wasted. That’s because effective cybersecurity requires a change of behaviour. Therefore, it needs to be bespoke to your law firm.
Off-the-shelf security training seldom covers the latest attack techniques. It neither tests staff on what they’ve learned nor practices them with simulated attacks.
These aspects of security training are crucial as they highlight the fact that most cybersecurity incidents occur due to human error. For instance, they demonstrate the dangers of trusting unsolicited emails, clicking unknown links, and putting detailed information on social media.
7. We’ve Done Our Cybersecurity
Cybersecurity is not something you can consider “done.” Attack techniques are constantly evolving, and so too should your defences. Indeed, cybersecurity is an ongoing process requiring continuous review and adjustment.
Continuous cyber risk management will ensure you have adequate controls and policies in place to protect your firm. Moreover, companies are now legally required to do so.
Your clients chose your law firm because they trust you. Failing to provide adequate cybersecurity measures means you are breaching that trust. Understanding these seven cybersecurity misconceptions will hopefully help you stay protected and keep your clients.