Risk areas to consider

A firm's computers, servers, storage, phones and network are all vulnerable to cyberattacks. Issues occur when the network has not been properly secured and the security settings on device are not configured correctly.  

Without proper training staff can be your most significant vulnerability. Cybercriminals will exploit staff who do not think before clicking on weblinks, email attachments and even social media videos. Passwords in the workplace may be weak, re-used and shared as staff prioritise convenience over security. Insider threat from unhappy staff is also an issue if policies and procedures are not effective.

Personal devices such as phones, tablets and laptops are increasingly used for work purposes, especially for the mobile workforce. These are easier to attack than corporate IT equipment, which often has more restrictions and protections. Personal mobile phones may be allowed to connect to the office Wi-Fi, which can provide cybercriminals with access to critical data and information.

It is increasingly common for law firms to use cloud portals and platforms provided by third-party software suppliers for document management and practice management. This can become an exploitable vulnerability if supplier due diligence is not thorough and security configuration is not applied and maintained.

Staff working remotely, when travelling or at home, are more inclined to make compromises on security by using personal email accounts, insecure connections, personal social media accounts and browsing unrestricted websites.

Transferring data as an email attachment creates an exposure risk and relaxed access management rules mean that personal data is easily found on networks. Firms may unconsciously allow staff to use cloud services to transfer information. Dropbox, Gmail, and Hotmail, for example, are cloud services that employees may use to transfer information.

Your public-facing website is often a target for cybercrime. Examples of breaches include a denial of service attack, which takes the site down completely; a hack into systems that sit behind the website, such as customer databases; and, the insertion of spyware to intercept customer information.

Any area of a business that handles money and bank details is a target for cybercriminals.