One of the main issues discussed at our National Conference in London was how your colleagues are an equal, if not greater, cyber risk to your law firm than your clients, especially when it comes to accessing your data, systems and office.
Here are 5 behaviours you may need to address to help better protect the best interests of your firm and your clients from a cyber attack:
1. They assume it isn’t their job to worry about cyber crime
There is a risk that your colleagues simply think it isn’t their job to worry about cyber crime.
There are 2 main schools of thought on this. In small firms, there can be an assumption that they are too small to be targeted by cyber criminals as they don’t handle large transactions, whilst in bigger firms there can be an assumption that another department is probably taking care of it.
The truth is that everyone needs to be aware of cyber crime and understand the steps they can take in both their personal lives and in the office to protect their own best interests, as well as those of their firm and their clients.
2. They are too trusting of strangers entering the office – and even hold the door open to let them in
It is human nature to want to hold the door open to an engineer carrying something heavy, or to help someone in a wheelchair; trusting that they have a legitimate purpose to be entering your office environment.
However, wearing overalls, a lab coat, carrying something heavy, and even using a wheelchair, are all techniques that have been used by cyber criminals to take advantage of our willingness to trust one another – and gain access to areas they shouldn’t be in.
The only way to stop this from happening is to make all of your colleagues aware of these risks and keep them vigilant. For example, training your employees about building security processes, as well as placing posters near doors, and sending out regular reminder emails.
3. Their password is “password123” – and has been since 2012
Password protection is typically a good way to restrict access to sensitive information, however the benefit of this can be undermined if your colleagues are too relaxed about the strength of their passwords.
Best practice is to use a strong, complex password which is changed regularly.
Company processes whereby passwords automatically expire once a month, or even once a day, can help to ensure that they are being changed regularly across the company.
Also challenge your colleagues on where they are storing their passwords. The strongest password in the world is as good as useless if it is written on a post-it note stuck to the computer!
4. They automatically give temporary workers and interns the same access as permanent staff
From facilitating work experience placements, to supporting team members on maternity leave, there are many reasons for a firm to have temporary workers in the building.
While your core team may want to be welcoming, these temporary members of staff carry their own level of risk; especially if they are given automatic access to all of your systems and data.
Reviewing your induction processes for these new, temporary employees and the data sources they have access to can help to ensure they only use the systems they genuinely need.
5. They give ex-colleagues the benefit of the doubt as they leave the firm
Do you know if your ex-colleagues still have access to your systems? If you aren’t sure, it is worth investigating to find out more about your employee exit processes.
For example, whether or not their access to key systems containing client data, email accounts and file sharing systems has been disabled, and their passwords have been changed.
It is best practice to make this a priority on a colleague’s last day with the firm, or even beforehand if you are concerned about the information they may try to take to their next job.
Whilst it is rare for an ex-employee to use their unrestricted access to construct a targeted attack, law firms shouldn’t underestimate the impact of an ex-employee accidentally losing sensitive information as they clear out their paperwork, or sell on their smartphone.
There is also a risk that unmanned usernames can make it easier for a cyber criminal to log into your systems undetected, as it will look like legitimate activity.
There is no magic cure
While there is no magic cure to protect your law firm from cyber criminals, investing time in developing best practice behaviours in your day-to-day working environment is a key way to help mitigate the risk of an attack.
This is part of a series of content we’ll be delivering on cyber crime, and just one element of the people risks involved.
Stay tuned for more articles and webinars.