To protect yourself, your firm and your clients, you need to be aware of the various threats to your computer and network security, which include:
One of the most pervasive images in popular media is that of the hacker or cybercriminal: a mysterious, highly intelligent and shadowy rogue who can penetrate even the most secure networks from a distant, hidden location.
Reality is somewhat different. Cybercriminals employ a range of sophisticated techniques to gain unauthorized access to sensitive information, including phishing, malware and ransomware attacks. While these strategies present real risks to law firms, they are less sophisticated than the computer wizardry often depicted in TV and movies. As a result, while you need to develop a strategy for dealing with external threats, there are widely available and relatively straightforward solutions you can employ to protect your computer systems.
Internal breaches
While we often focus on external threats like hackers and cybercriminals, these are not the only, or even the primary, threats to law firms. Or perhaps it is more accurate to say that the action of a cybercriminal alone is usually not enough to breach your computer or network security.
Rather, internal breaches, whether intentional or accidental, are often overlooked even though they represent one of the greatest dangers to your law firm's security. Employees can inadvertently expose sensitive information through “phishing" emails, messages, texts or websites. Phishing is one of the most common ways that external hackers deliver malicious programs. Phishing emails may include links to harmful sites, contain infected attachments or be part of a social engineering scheme seeking to gain access to your account information and passwords.
Phishing is a form of “social engineering”, which is an attack that uses human interaction to obtain confidential information about an organization or its clients. In social engineering schemes, the attacker typically poses as a reputable person representing a legitimate business or organization, such as a client, vendor, bank, government agency or even another member of your law firm. By doing so, the attacker attempts to gain personal or financial information not by “hacking” your system per se, but by persuading you or another member of your firm to give out information to the attacker or allowing them access by clicking on malicious links.
You can learn more about how to identify common red flags of phishing emails through the Government of Canada’s Get Cyber Safe resources. However, you should be aware that these threats are constantly evolving. To deal with threats, you need to make sure your computer security systems are up-to-date and also consider annual training to keep up with emerging threats.
While phishing is one of the most serious cybersecurity threats, there are other sources of internal breaches. Unlike phishing, which usually involves an unintentional breach, sometimes an individual in an organization can exploit their access and intentionally access and compromise data. Reasons vary: internal breaches can be motivated by personal financial gain, revenge, political or ideological beliefs, or simply carelessness. Ultimately, you will need to ensure that your security systems can defend against both internal and external threats.
Theft or physical loss of equipment
Both external and internal threats largely focus on threats that exist in cyberspace. But the physical world also presents real security threats to law firms.
Theft remains a serious risk for lawyers. Whether targeted or random, portable electronic devices make ideal targets for thieves. Every year in Alberta, lawyers’ desktop and laptop computers are stolen. These thefts are from law offices, lawyers’ vehicles, coffee shops or from homes. This same threat applies to external hard drives (including thumb drives), photocopier hard drives and mobile devices. The more portable something is, the more important it is to ensure that the data is secured.
Electronic devices, especially small ones, can also be lost or stolen. For example, it is easy for a mobile phone to fall out of your pocket or to misplace a thumb drive.
Natural disasters can also be a risk in Alberta. For example, many businesses were affected by the Fort McMurray wildfires and the 2013 Calgary Flood. And fires and flooding can occur at any time in a home office or office building, with potentially catastrophic losses.
You need to have a contingency plan in place in the event that your physical devices are lost, destroyed or stolen.