Recent evidence from the Law Society revealed that more than a quarter of law firms in England and Wales were targeted by fraudsters in 2016, with most attempted scams taking place online. This statistic is fairly unsurprising. The nature in which information is shared, the handling of client-sensitive data and the high-volume of email traffic make it an obvious target for the criminal underworld.
Trying to stay on top of threats and scams can often be a daunting task but for those looking for some simple and practical advice, there are a number of steps which can be taken.
Knowing what to look out for is a crucial starting point, especially when considering that it only takes one person to open an unsolicited email and attachment to compromise an entire organisation. Firms need to make sure employees are able to identify potential phishing emails. It is easy to spot a bad phishing email with poor formatting and grammar but sophisticated and targeted attacks are less obviously suspicious. Employees must also understand the procedures to follow in the case of a breach or infection. Fast action will help to get incidents under control quickly, reducing the amount of damage caused.
Regular training and education play a vital role. Awareness training is often only carried out yearly or as part of an initial induction, but this needs to be increased. Employees need constant security refreshers throughout the year, at least twice annually, not only to address any new threats, but also to ensure that security remains front of mind. The threat landscape is constantly evolving and maturing, and it's vital for organisations to keep pace. It's very easy for employees to go through awareness training, but six months later have forgotten what they've learnt as day-to-day tasks take priority. Good security practices need to become habits.
For smaller practices, which typically might not have the necessary infrastructure or personnel in place, schemes such as the government's Cyber Essentials Scheme (CES) provides advice and guidance for those taking their first steps into cyber-security and also supports those looking to improve existing processes.
An effective line-of-dialogue between the IT department and the rest of the business is also needed. All too often, IT departments handle incidents in the background with only key senior individuals alerted to a virus or an attempted hack, but what about the rest of the organisation? If threats aren't communicated internally to employees, then how will they understand the dangers facing the business? Clear communication from the team back to IT and security teams is also vital to allow the IT team to understand whether security processes are too restrictive or unintuitive, hindering the staff's ability to do their jobs competently. Asking the right questions to the right people will go a long way to improving adherence to IT security practices, ultimately boosting the security posture of the whole organisation.
Additionally, this all needs to be supported with effective backup capabilities. Good preventative measures and an aware and educated work force will minimise the chance of a breach, but it is impossible to prevent every attack. If an attack has been successful you must Isolate, Identify, Cure and Communicate.
In order to minimise downtime and data loss you must have frequent backups before the infection and the ability to restore those systems quickly. In day-to-day operations, backup can become an afterthought with more ‘visible' activities like hardware upgrades or managing new software installations taking priority. For backup to be effective however, it needs to be managed, monitored and tested regularly.
Contributed by Peter Groucutt, managing director at Databarracks
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.