Posted by Joanne Hunter, head of marketing at Legal Futures Associate Select Legal Systems
Many managing partners will, I’m sure, now be breathing a huge sigh of relief because they’ve achieved homeworking for so many of their staff, so quickly and with relative ease.
However, don’t breathe too soon! What law firms now need to think about now, and urgently, is their cyber security, and how they can ensure the people they have set up at home are working just as securely as they were when they were in the office.
Due to the nature of their work law firms are obvious targets for cybercriminals. With so many workers accessing systems from home, cyber-threats for law firms are heightened many-fold.
Here are our top eight security tips for any law firm that has staff working from home.
Put a reporting mechanism in place for your people
Make sure staff know how they can officially report any security concerns or problems they have whilst working from home, so that your IT support are fully aware of any potential threats to the business.
People who don’t work in IT may not realise the significance of a cyber-threat, and if you don’t make lines of communication available so they are able to report their concerns, they may not alert the right people promptly enough, which could have a detrimental effect on your firm’s cyber-security.
Ensure everyone has strong passwords and two-factor authentication
Review your practice-wide password policy to make sure everyone in the business is setting strong passwords and using 2FA (two-factor authentication) wherever relevant. The National Cyber Security Centre advocates using three random words for your password(s), for example ‘3redhousemonkeys27!’.
People should choose random words that are memorable only to themselves, but that other people cannot guess. Social media accounts can give away vital clues, so your people need to think about this when setting passwords. Many of us do this unwittingly every day. Chances are your passwords, or clues to them, are plastered all over your social media posts without you even realising it.
NEVER use the following personal details for your password(s):
- Your partner, children, family, pet names or nicknames;
- Your place of birth;
- Your favourite holiday destination; or
- Words relating to your favourite sports teams.
Cyber criminals know all the tricks of the trade, so using simple substitutions such as ‘Pa55word!’, for example, is something that should be avoided by all staff whether working from home or the office. There is lots of excellent advice on the National Cyber Security Centre website about passwords and 2FA.
Keep all devices safe
Across the country, home workers are using a combination of their employers’ and own devices for home working. Either way you need to make sure your staff understand the risks of using devices outside of the office for work purposes.
Firstly, all devices used for work, wherever they are, should be running the most recent software for both operating system and applications, including anti-virus software, of course.
Make sure your people know what you expect of them in terms of keeping their devices safe whilst away from the office. Also, they need to know what you want them to do if their device(s) is ever lost or stolen. Reporting lost devices as soon as possible will help your IT people to keep your firm safe.
Switch on encryption
Devices are more likely to be lost or stolen when you have staff set up for home working.
Most modern devices have ecryption built in, but it may need configuring or switching on. Ensure all devices that are being used at home by your workers are set to encrypt data while at rest.
Use mobile device management
It’s a good idea to set up all your home-working devices with a standard configuration so that your IT people can lock them or delete data from them remotely, using MDM (Mobile Device Management).
Have a VPN in place
Having a virtual private network (VPN) in place provides an additional layer of security for home workers accessing your firm’s practice management system, email system etc. If you are already using VPN, make sure it is fully patched. You may need extra licences, capacity or bandwith if you’re supporting more home workers.
Your users should avoid using free WiFi hotspots without using a VPN to ensure your/their device’s traffic is encrypted and harder for a cyber-criminal to intercept.
Empower your staff to spot scams, risks and threats
Make sure your staff understand the risks of clicking on links and attachments in digital correspondence. For instance, people should be wary of emails and text messages that contain links and attachments. Users should avoid clicking on either unless they are absolutely sure of the validity of the sender.
Sophisticated cyber-criminals prey on businesses and individuals every day, and Covid-19 just gives them another opportunity. Coronavirus scam emails are doing the rounds – some encouraging people to donate to help our doctors and nurses, others offering fake news about cures, vaccines and infection maps.
Scam links of this nature will send your users to dodgy web pages that could download computer viruses or steal your passwords that could put your whole business network at risk. Law firms need to alert home (and office) workers to the additional risks, and remind them to take care.
Please make sure your staff are absolutely clear that they must not click on links or open attachments willy nilly. For genuine information about the pandemic they should go only to trusted resources such as Public Health England and the NHS.
The National Cyber Security Centre offers free cyber-security training for UK companies online here.
If you, or a member of staff, have already clicked on something suspicious – try not to panic.
The first thing to do is let your IT support know and then open your anti-virus software and run a full scan, following on-screen instructions. This should pick up any real threats. Liaise with your IT support about the results of the scan.
If you’ve been tricked into sharing your password, you should change it immediately, and to make doubly sure change your passwords for all your other accounts. Again liaise with your IT support about what’s happened.
If you have lost money, you should report it as a crime to Action Fraud. Keep your IT support in the picture.