Posted by Jennifer Williams, head of IT and security specialist at Legal Futures Associate Lawyer Checker
Most law firms recognise the need to protect themselves from cyber security and data breach issues originating from the outside world.
This means that most firms will have things like firewalls, email encryption etc. However, there is an alarming growing trend that is much harder to spot – the insider threat.
Approximately 75% of cyber incidents are caused by insiders. These tend to fall into one of three categories:
- Careless insiders are perhaps the most common threat to firms. These employees pose risks such as having weak passwords or leaving equipment unattended;
- Exploited insiders are often well-meaning and totally innocent employees that are tricked or engineered into providing data that they shouldn’t;
- Malicious insiders are much less common but the level of damage that they can inflict is amplified by their desire to cause harm
Knowing what steps to take to protect yourselves from these insider threats can cause a headache for law firms.
It’s difficult to find the balance between protecting your business assets and making staff feel trusted and valued. Also, ensuring that your staff feel empowered and confident enough to report any cyber threats is something that should be encouraged.
Here are some steps that you can take to protect your firm against these insider threats and enable your staff to feel more confident in reporting suspicious behaviour.
Cyber security should be at the forefront of everyone’s mind. It’s not something that is restricted to one person, or one department. It has to be adopted and embraced by everyone in the firm.
Everyone who joins the business should be given some form of ‘cyber hygiene’ training. This can be as basic or as complex as you like. However, this training should be implemented before your new starter is given any equipment or log in details.
Some aspects that the training could cover include: how to create strong passwords; how to spot phishing emails; and the procedures they should follow if they feel like their account has been compromised, or they’ve clicked on a link they’re not meant to.
Refresher training should also be offered to members of the team who have been there for a long period of time. Bad habits can begin to slip in, as busy work lives take over and ease and convenience override the need for security.
Knowing who your employees are is vitally important. Gathering references is key, but how much do you really know about them from that point? Who are the referees? In what capacity have they known your prospective employee? Do the references look genuine?
Some businesses run background checks, including a Disclosure and Barring Service (DBS) check. This check is done regardless of the position the employee is starting in. This can be from a new administration assistant to a senior member of the board – no one should be exempt.
This DBS check gives you, as the prospective employer, an extra level of reassurance, that the new starter hasn’t got a murky past regarding cyber-offences which could detrimentally impact your business.
A strong access control policy
You wouldn’t give everyone in your firm keys to the front door or the safe. The same can be said in relation to your cyber infrastructure.
Ideally, you restrict the number of people who hold administration privileges for your computer networks. This way you can potentially pinpoint any ‘insiders’ who have used your infrastructure for malicious means.
Granting standard access levels for each role should be a blanket policy which is rolled out across the firm. However, if a new starter needs administration privileges, these should not be granted until after they’ve passed their probation period with the firm.
Robust HR procedures
The three riskiest times for insider threats for a law firm are when someone joins the organisation, leaves it or changes roles.
When someone leaves your firm, you should endeavour to remove all access rights and reassign their computer records to another owner as soon as possible. This is done to prevent the terminated employee being able to access their account remotely and remove files or act in another inappropriate way.
When someone changes role, you may need to alter their access rights as appropriate to ensure they have the correct level of access they need to support them in their new role.
Communication with staff
Openness is key. Staff need to feel comfortable in reporting issues, for example, that they accidentally clicked on the malicious link. At the same time, they should be aware that knowingly causing a serious breach will be dealt with seriously.
Building a positive cyber-culture is key, but requires the right balance to ensure it thrives in a firm. Empowering people but now restricting them is key. It’s all about finding the right balance.
Use gut instinct
If someone is using their admin credentials whilst on holiday, logging on in the middle of the night from home or performing activities that just don’t feel right, this warrants investigation. Often just asking why is enough to make a malicious insider feel like they’ve been rumbled.