Cyber crime is a major threat to all businesses, and it’s one that is constantly evolving and updating – making it difficult to defend against. This is especially true for small and medium-sized firms, who may not have the resources, budget or processes in place to continually update and guard against the latest cyber threat.
Legal and accounting firms, due to the nature of their service, are at particular risk. Holding sensitive client information, handling significant funds, and being a vital cog in commercial and business transactions are all very attractive to criminals.
In fact, according to the National Cyber Security Centre (NCSC), 60% of law firms experienced an information security incident between 2017-2018. Whilst a representative of the Institute of Chartered Accountants in England and Wales recently warned that financial companies are too often ‘the weakest link’ when criminals try to access sensitive data.
Successful cyber attacks can do significant damage – both from a financial and reputational viewpoint – to legal and accountancy firms. So, it’s no wonder that cyber crime is such a concern within these sectors. According to the PWC Annual Law Firms’ Survey 2018, over 80% of the top 100 law firms are concerned by the threat of cyber attack.
Modern working practices are only adding to the threat. The rise of remote working, for example, brings in additional points of weakness that can be exploited by cyber criminals.
However, there are ways to minimise risk and thwart cyber attack. Knowing the main threats can help in preparing a cyber protection strategy to keep your organisation safe.
Here are five major sources of cyber vulnerabilities in the legal and accounting sectors – and advice on how you can help guard against them:
Ransomware is a big threat for companies in any sector. Organisations as diverse as the NHS, FedEx and San Francisco’s light rail network have all fallen prey to it in the last few years.
A typical ransomware attack infects a computer or network, then locks up and encrypts files and data and makes it impossible to regain access. Access is only granted after a ransom has been paid.
But a ransomware attack can only be successful if it gains access to your system, so both up-to-date cyber protection software and increased human vigilance are vital in guarding against this threat.
Outdated software is a major culprit in successful cyber attacks.
Software providers regularly update their products to remove exposed security vulnerabilities. However, if someone fails to action the update, that can provide hackers with the foothold they need to break into a network.
Therefore, it is essential to ensure that software updates are installed and patched as soon as possible.
Poor working practices
Basic human error lies at the heart of many successful cyber attacks. Much of this is down to poor password choice, with obvious passwords such as ‘12345’ or ‘password’ providing easy pickings for cyber criminals. Having your date of birth is also a bad idea, as this can be easily found. So, strong passwords are a vital part of good cyber security. A good way to create one is to think of 3 random words. Words which mean something to you, but won’t be easily guessed by someone else.
Phishing - where cyber criminals send apparently legitimate emails that induce individuals to reveal personal information, such as passwords, or download data - is also a big risk.
Most phishing emails are easily spotted, but some are very sophisticated and convincing. Thus, it is vital to ensure that employees are updated and trained on the risk of phishing and how to spot suspect emails.
Bring your own device
The trend for bring your own device (BYOD) in the workplace presents a significant cyber security threat. Devices brought in from outside may have picked up a virus, which can then gain access to your organisation’s own network, particularly as personal cyber security is often slack. A study by HP has revealed that 75% of employee’s devices lacked proper data encryption and 97% had privacy issues.
One way of reducing this risk is to ensure that any device brought into the workplace has additional security measures installed on it. This offers greater protection for personal use of the device, but most importantly increases the security of company-operated applications and software.
Access through applications
People’s awareness of cyber security is improving (albeit slowly) and so criminals are now looking for more technical ways to breach systems, which don’t rely on human error and focus on infrastructure instead. One recent trend is to target applications, which involves directly hitting the infrastructure that hosts applications through SQL injection, cross-site scripting and other methods.
Avoiding this means investing much more time, money and effort into application development and application security.
If you’re in the legal or accounting sector then it’s a question of ‘when’ not ‘if’ you will face a cyber attack, as you are a prime target for criminals. And obviously, prevention is the best form of defence.
To protect your company, it’s vital to identify and understand the most common cyber threats you are facing – then look at your vulnerabilities in each case and identify any gaps in your security. This enables you to plan and implement a prevention strategy that keeps your firm, your clients and your reputation safe.