Cybersecurity: actions for 2022
Millions of cyberattacks will take place across the UK in 2022 and many thousands of businesses will be seriously affected; this will include law firms.
The firms which avoid damage will be those that have taken proactive steps to protect themselves.
Cybercriminals earn huge sums from their activity, and the sheer size of this opportunity means that attacks will inevitably increase in 2022.
The advancement and availability of attack technology, and the growing use of artificial intelligence (AI), means that criminals can now discover and evaluate opportunities in every business, whatever the sector, regardless of the size.
So, we need to start by understanding your vulnerabilities.
A successful attack can make money for the criminals in a number of ways.
They may trick a human (such as a member of staff, a customer or a supplier) into sending money to a fraudulent bank account.
Or, they may steal something valuable such as sensitive confidential proprietary or client information, in order to blackmail you into paying a ransom for its return.
That confidential information may also then be used to attack your clients or attempt to extort money from them too.
Ransoms are also frequently paid in order to regain business functionality, after criminals have encrypted data and systems. Encryption is the conversion of data into a form that cannot be easily understood by an unauthorised person. It can only be read or decrypted by those with the correct key.
Criminals find their way into your practice through the gaps in your defences; these are known as vulnerabilities.
At Mitigo, we assess many law firms each year, and set out below are the areas we are currently finding provide most opportunity for the criminals. I suggest you read through the list noting where the risk applies to you.
Staff working away from the office provide ample opportunity for an attack. Ask yourself; have you reviewed your remote working set-up from a cybersecurity perspective?
Mitigo have a helpful video with some pointers on how to tell how well you’ve set up your remote working.
Cloud email accounts
Thousands of email accounts are hijacked weekly and exploited by criminals.
The two most important things you need to review are:
- authentication methods: relying on username and passwords alone is not enough. Typically, over 20% of untrained staff fall for the simulated phishing email attacks that we run for clients. This is how usernames and passwords are stolen
- spoofing controls: ask your technical support if they have set up Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based message Authentication Reporting and Conformance DMARC. You should be worried if they don’t know what you are talking about
Some of the biggest cyberattacks last year happened because of poorly maintained technology.
Having an effective patching regime is critical to your cyber resilience.
Two huge cyberattacks in 2021 took place when critical security patches were released by suppliers, which in turn notified everyone (including criminals) of newly discovered software flaws.
Staff digital behaviour
Most successful attacks rely on human error at some stage, which is why staff training, combined with proper governance, is so important.
- Passwords: how disciplined are you? Do staff use strong passwords, and do they know how dangerous it is to use work emails and passwords for non-work purposes? Do you really know if the rules you set are being enforced?
- Information transfer: are you really in control of the way data is transferred and stored? Could company information be easily found in G-drives, Dropbox, and on WeTransfer?
- Speed and trust: how quick are staff to trust and press links on their mobile phones? Might your staff fall for the criminals’ ever more sophisticated tricks?
At its worst, using cloud services can mean loss of control and a lack of risk visibility.
Supply chain weaknesses
Third parties who provide services to your organisation are often one of the weakest links in your cybersecurity.
Most commentators are predicting a growth in supply chain attacks this year. The National Cyber Security Centre (NCSC) have published a good explanation of the risks involved.
Cybersecurity action plan
Cybersecurity vulnerability assessment
You must start by identifying your biggest risks and the vulnerabilities, so they can be addressed.
The list of common vulnerabilities mentioned above is a good starting point for this process.
Consider how well each of those areas has been set up. Do you have evidence that cybersecurity has been properly considered?
Make sure you review where your valuable information is kept and the way your payments process operates, as these are common targets.
You may have heard of cybersecurity buzz words like penetration testing, vulnerability assessments, and network security scanning, which will all help you assess your vulnerability to attack. A good starting point would be to use our assessment tool.
Define how the business will work to reduce risk: for example, clearly define acceptable personal use of a work device.
We recommend that you focus your policy in key areas; digital usage and behaviour, passwords and access management, and information storage and transfer. Then, make sure all staff are aware of the rules and what is expected of them.
You must have a defined policy in place for software patching, back-up testing and virus protection to include clarity on actions and responsibilities.
It is also important that you find a way of measuring compliance.
This may sound onerous, but it is absolutely necessary and an expectation of your regulators and the Information Commissioner’s Office (ICO).
Vulnerability closure, strong controls and alerts
Once you have completed the steps above, you need to make sure that you close the vulnerabilities identified, technical policies are implemented and the right system controls are set up to protect you.
It is essential that someone suitably qualified advises on how properly to configure your software and hardware from a security perspective.
The work here obviously depends on how your firm operates, but here are just three examples of what we look for during our assessments.
- Anti-virus software: is it on every device; is it being kept up to date; can it be locally switched off; has it been ‘loosened’ too much and is someone centrally viewing the critical alerts?
- Windows network patching: are Windows patches being deployed on time to laptops, PCs and servers? How long can a laptop go without a critical patch being deployed?
- Email account login failures: if you are on Office365 someone should be being alerted to suspicious login attempts and you should be configuring the controls to restrict who has access to your systems
Cyber security training
Make sure that regular training keeps staff alert to the risks.
It’s time to invest in some good cybersecurity training, and we believe that having simulated attacks done frequently will improve your cybersecurity culture.
Incident response planning
Yes, the worst does sometimes happen. In most cases that I have been involved with, fast, pre-planned emergency response arrangements can massively reduce the impact on your business.
This is a subject for another article, but start by getting the key people in a room and discussing how you would go about dealing with a ransomware attack.
Write down your plan, communicate it and practise it.