Last week David joined fellow panellists Quinton Kotze, Cyber & Technology Product Manager – Australia and New Zealand, Chubb
Insurance and Leisa Flately, Practitioner, Risk Expert and Lecturer – The College of Law along with moderator Terri Mottershead, Executive
Director, Centre for Legal Innovation (Australia, New Zealand and Asia-Pacific) – The College of Law in an interactive workshop designed
specifically for sole practitioners, directors or employees of a small practice in the legal space.
The COVID-19 pandemic has been a challenge for cyber security even in the most prepared of organisations. We now have practitioners working flexibly and practices having to accommodate a remote workforce.
In fact, with a 300% increase in cybercrime since the pandemic started (as reported by the FBI) the landscape has substantially changed.
We are now protecting twice as many devices with people working from home (and they need the same level of protection as in the office) and these home computers are often shared with family increasing the threat and vulnerability.
As part of the panel discussion, David noted that staff security awareness training has become paramount in ensuring staff have the knowledge to stop and consider a threat, it is something FortiTech now include with all new clients.
Another factor is staff isolation, less water cooler talk about issues including cyber security, so ongoing engagement is needed to keep things front of mind not to mention the increased risk with people operating between office and home that there is the potential that devices could be left on public transport accidentally.
With all of this in mind, the workshop focused on:
- how your practice could be vulnerable to a cyber attack
- the legal tech and risk management solutions your practice should have to prevent, minimise and/or prepare for a cyber-attack or data breach
- the consequences from a risk, insurance and ethical perspective
- how an insurance policy could assist you to respond to a cyber attack
- the steps you should follow before, during and after being confronted with a data breach event
Having previously spoken presented a webinar on setting up the technology for a legal practice David was able to share his knowledge with the group and build on the expert advice given by Leisa and Quinton.
Notably, Quinton highlighted that that insurance, even the free policies included to members of the Queensland Law Society (underwritten by Chubb) were essential, whilst Leisa pointed out that a good breach and disaster recovery plans were foundation to any practice's risk management approach.
David highlighted a list of quick bare necessities a law practice should have:
- Computer operating system and application updates (to prevent exploits of known software faults)
- Endpoint Detection and Response, the new breed of Antivirus product
- Firewalls with web filtering to protect from compromised websites
- Assuming they run Office 365, and who wouldn’t after the huge exploit of Microsoft Exchange On Premise email recently!, the tenancy needs to be securely setup (FortiTech have a 32 page guide on this) and especially enable multifactor authentication for all users.
- Backups for Office 365 data including SharePoint
- Email filtering to limit phishing attempts and spam email in general
- And lastly a password management tool along with strong passwords that aren’t reused.
In fact to make this easier for our smaller clients FortiTech provide it as a bundle so good security need not be expensive or hard to get in place, these bundles start from as little as $25 per month, per device
David then focused on further preventative strategies that a practice could put in place:
- Ideally at every stage you want to make it as hard as possible to get to the next layer of your technology infrastructure
- Reconnaissance – limit what information you post online that could be exploited such as personal information on social media
- Weaponisation and delivery – have in place tools that can recognise zero day threats based on activity of the exploit and filtering to catch as many before they get inside
- Exploitation – make sure devices are maintained and known exploits are patched
- Installation – prevent installation with tools such as End Point Detection and Response (EDR)
- Command and Control – firewalls and EDR to prevent communication along with Data Loss Prevention (DLP) to protect loss of information
- Lastly undertake security awareness training for your team to ensure they know what to look out for and what to do when all the technological controls are breached
And if the worst case strikes, here is what you will need to do to restore your systems and prevent this happening again:
- Backup all data and use the 3,2,1 rule (3 copies, 2 locations, 1 offsite)
- Test restoration of backups regularly, automated tools exist to make this a daily exercise
- Before restoring make sure to use breach remediation tools to ensure your technology environment is actually clean and that there are not hidden threats installed
- Make sure you have the security basics in place as part of your remediation.
At FortiTech we are encountering more and more small legal practices in need of guidance and support for their technology landscape, if your practice is one of this growing statistic, then why not get in contact with us for a no obligation discussion.