Here are your six cybersecurity resolutions for 2021

David Fleming, chief technology officer at Mitigo, gives his six top cybersecurity resolutions for law firms in 2021.
Cyber security graphics over man's head

If last year taught us anything, it’s that it’s never been more important to allocate resources to mitigate risk and unexpected challenges. Cybercrime, with its ever-increasing prevalence, is one of those risks. The start of a new year is always a good time to start planning. Here are my suggested 2021 cybersecurity resolutions for law firms.

1. Invest time to understand your risk from cyber attacks

Cyber attacks are indiscriminate – they hit any vulnerability they can find. Get the right group of experts together to assess your risks, and then consider the controls you have in place to reduce that risk, for example policy, training, software, support etc. Consider investing in a vulnerability risk assessment that can guide you on where to start.

2. Get your remote connections fit for purpose

Since the pandemic started, cyber criminals have had a field day compromising poorly set up remote connections. In the rush to connect remotely, speed was prioritised over security. Make sure your connections are fit for purpose in 2021. This includes logins to cloud platforms, VPN connections to the office and all versions of remote desktop control. And pay extra attention if you have allowed staff to use their own computers.

3. Stop assuming your IT support have this covered

The law firms that got hit last year still assumed this. In our experience, IT departments do not look after cybersecurity in general because they are not risk or cyber experts and, frankly, you are not paying them to shoulder this responsibility. This assumption can be a blocker to firms acting.

4. Change employee habits through training, testing and simulation

All the incidents we investigated last year had an element of human error. Good resolutions change bad habits. This includes link-clicking, alert-ignoring, update-delaying, data-synching… I could go on. Best practice is to follow up training with simulated attacks on staff, such as a pretend email phishing campaign, to strengthen a defensive culture.

5. Write and communicate a mobile phone policy

Do not forget mobile phones. Personal and work mobile use can be necessary for business. But have you got a policy for it, with the necessary controls in place? Cyber criminals increasingly rely on mobile phones as an entry point into company systems. Once you have agreed what your policies are, you will need to configure your technology to support your approach.

6. Prove to yourself that your back-up actually works

Most back-ups that we check will not survive a ransomware attack, because they are poorly configured. Have you ever had this checked? Is it still operating correctly in this remote working world? Staff may have started storing files locally for convenience or even using third-party storage. Have you still got control of your data footprint?

This is not an exhaustive list, but I hope it will get you thinking about this subject, because it isn’t going away. Indeed, cyber criminals are more organised than ever, and their attacks are increasingly sophisticated. It is a lucrative business for them, so they invest money and resources into constantly improving their game. I suggest you use the start of 2021 to do the same.

The Law Society has partnered with Mitigo to offer technical and cyber security services with exclusive discounts for our members. For more information contact Mitigo on 020 8191 9205 or email lawsociety@mitigogroup.com.