Human error is one of the leading causes of data breach for UK law firms. What can your firm do to reduce the risk of suffering a data breach – and potentially reputational damage and GDPR fines – as a result of avoidable human error?
Law firms throughout the UK are under attack from motivated cybercriminals who want to access the legally privileged information they hold. But it’s not just cybercriminals that law firms should be wary of – their own users are actually a leading cause of data breach.
Through a recent freedom of information request to the Information Commissioner’s Office (ICO), one specialist found that 48% of top 150 law firms had reported data breaches since the GDPR came into force. Of those breaches, 41% were a result of emailing the wrong person.
Depending on your perspective, this is either comforting – as these errors should be easily avoidable – or deeply frustrating. Either way, these human errors are inherently avoidable. The right combination of people, processes and technology will prevent human error leading to data breach.
In this blog, we’ll show you how.
While ill-disciplined users can cause your law firm a serious cyber security headache, well-trained users can form your first line of cyber-defence. Carry out security awareness training with all of your users so they are aware of the risks they face – whether from phishing emails, ransomware, business email compromise, or any of the main cyber-attack methods cybercriminals use.
Reiterate the importance of staying diligent, even when working from home. Studies suggest that users are less careful when working from home than they are when working from the office. If your law firm intends to adopt an agile working approach, this can’t be the case.
And finally, consider setting policies dictating that users should send emails containing legally privileged information from their desktop or laptop – never from a smartphone. Users are much more likely to email the wrong people from their smartphone than they are from their workstation.
Business email compromise attacks leverage persuasion tactics and gaps in processes to convince users to do things they shouldn’t – whether that’s sending money to illicit bank accounts, leaking legally privileged information, or providing access to hackers to get onto internal systems.
When it comes to processes, there’s always a balance to be struck. The most stringent processes could probably prevent 99.9% of persuasion-based cyber-attacks, but would also potentially stop your law firm from getting anything done. In order to minimise the risks your firm faces from user error, implement processes and governance that protect you and your clients when sending emails containing legally privileged information.
Your partners may not like it, but the simple fact is that in 2021 all access should be protected through multi-factor authentication as standard. Multi-factor authentication prevents hackers from accessing your systems even if they are able to crack a user’s login credentials.
MailtTips in Microsoft 365 includes useful functionality like External Recipients and Large Audience that helps users help themselves and stay safe when using Outlook. External Recipients shows up for messages sent to external domains, which is useful for spotting impersonation domains setup to look like your law firm. Large Audience shows up whenever a message is going to be sent to many recipients. This is a great tool to prevent users hitting the dreaded ‘reply-all’ and sharing legally privileged information with audiences who shouldn’t be seeing it.
Cyber Security for Law Firms
Cybercriminals are persistent, resourceful and adaptable, and there is no single solution to protecting your law firm from all cyber-attacks. However, by applying the measures listed above and combining them with a mature cyber security model that incorporates people, processes and systems, you will enhance your firm’s cyber security posture and reduce the chances of suffering financial, operational and reputational damage as the result of an attack or a data breach caused by human error.
Our new eBook Cyber Security for Law Firms highlights the seriousness of cyber security, how cyber-attacks can have a detrimental effect on a law firm and its reputation, and how firms can implement agile working practices, expanding the workspace while continuing to safeguard their systems and data from potential security vulnerabilities.