In the online world, battles rage daily with many casualties—individuals and businesses—and very little news coverage. For example, according to a report from Hiscox Group, a small business in the UK is targeted by cyber crime every 19 seconds—that’s 65,000 attempts every single day.
Protecting your company’s assets and the personal information of your staff and clients from hackers is, therefore, a continuous battle, but one that can be managed if you stay one step ahead. After all, “if you know the enemy and know yourself, you need not fear the result of a hundred battles”, as the ancient Chinese military treatise The Art of War declared.
As service sector organisations, law firms face a dual challenge in needing to protect both themselves and their clients from hacking. All too often, however, complacency creeps in, and this can be fatal. The brutal reality is that hacking can—and does—happen to anyone who takes their eye off the ball.
Know your enemy
To prepare for battle, it is worth taking a moment to focus on what the main threats actually are to your firm.
Malware is a generic term to describe all kinds of nasty software specifically designed to cause pain and disruption, often referred to as computer viruses. They do their damage by infecting the host with something that makes them sick—just like a real-life biological virus. And in the same way that bugs are spread among living creatures, malicious code is used to generate multiple copies of the virus that spread across entire organisations.
The modern-day equivalent of “your money or your life”, ransomware attacks take users completely by surprise by threatening them will major data loss unless they pay up fast. This particularly nasty form of malware has the power to completely block an organisation’s access to its own information until it pays a ransom.
Emerging with the internet of things (IoT), cyber criminals have been using a variety of internet-connected devices called botnets to perform a variety of attacks. From denial of service (DDoS) and ransomware to spying and cryptocurrency mining, botnets are on the rise and they’re wreaking havoc on devices all around the world—and attacks can go undetected for weeks or even months.
Phishing scams work by sending targets emails that have been carefully crafted to look like they come from a trusted source, often sent later in the day when staff are less likely to be alert to threats.
Man-in-the-middle (MITM) attacks
MitM attacks eavesdrop on transactions and conversations between two or more parties. Once the attacker has made their way into personal or professional business, they’re perfectly positioned to steal data and destroy reputations. The most common way cyber criminals use MitM attacks is through unsecured public WiFi, which is why working remotely from your local coffee shop can be a really bad idea.
DDoS attacks effectively overload computer systems, networks and servers by flooding them with so much traffic that they’re no longer able to perform simple tasks. Once the network has been completely overwhelmed with emails and requests it becomes completely inaccessible, resulting in significant losses and often irreparable reputational damage.
This kind of attack happens on the first day a weakness is found in a piece of software. Usually when a user becomes aware of a potential security risk, they have time to report it to their software provider, who will in turn develop a patch (a bit like a sticking plaster) until a more permanent solution is available. In the case of zero-day attacks, however, it’s too late for a quick fix.
Structured Query Language (SQL) injection
Cyber attackers perform SQL injections by inserting code into database queries, giving them complete control over databases and websites. It requires very little skill or knowledge to initiate an attack, but the effects of the stolen and misused data are often devastating.
Top tips for beating the hackers
- Create a culture of awareness
Around 88% of data breaches are caused by unsuspecting staff members, so make IT education a priority in your organisation. Run internet safety awareness courses and ensure that you and your staff are always up to date with the latest threats and how to avoid them. Schedule regular reviews and refreshers into your diary, and lead from example. If you’re seen with Post-it notes displaying multiple passwords, or you regularly share login details, you can’t expect your workforce to take security seriously.
- Use strong passwords
While it is a pain having to have separate passwords for all your different applications, it really is better to be safe than sorry. Hackers have been stealing passwords for years because people make it so easy for them by using the same password on multiple accounts or choosing codes that even a toddler could guess. Strong passwords include a combination of uppercase, lowercase, numbers and special characters, and they should be changed once a month.
There’s some great software out there these days that enables you to create (and remember) new passwords without having to keep coded messages in your diary or phone.
Multi-factor authentication is even better. Before being granted access to data, users have to do something to prove it’s really them logging in. This can be as simple as receiving a text on your phone, or for ultra-security, using a specialist device.
- Be careful what you (and your staff) post
We live in a society where it’s become the norm to over-share. From A-list celebrities to friends you haven’t seen since primary school, it seems that everyone is happy to divulge each moment of their waking day in detail. This constant stream of personal information has given cyber criminals the perfect opportunity to target victims through social media, quickly finding out where they live, what they do for fun and where they work.
To minimise your chances of becoming a victim, think about how much information you really want to share with strangers and make it policy for employees never to divulge business details online.
- Avoid public WiFi
While it can be great to take a break from the office and work from the local café or train, using free WiFi leaves you wide open to attack. It’s the perfect opportunity for cyber criminals to steal passwords, customer data and banking details, quickly spreading viruses between multiple devices. If you or your workforce are going to work remotely, use a virtual private network (VPN) to secure your connection, and be sure to turn off sharing on your device settings.
- Develop a multi-layered approach to IT security
The most important tools in your arsenal are robust, up-to-date anti-virus software and firewalls, which should be constantly monitored and regularly updated.
It’s also essential to ensure that all software is regularly updated to avoid any vulnerabilities that hackers could exploit. Old, outdated computers also pose a significant threat, so undertake regular inventories of your entire system and schedule licensing renewals.
Even with the best plans and precautions, disasters can still happen. The world of cyber crime is so rapidly evolving that even hardened security experts can’t guarantee that a hacker won’t come up with a new way to break in. So you’ll need a backup in place. When your data is properly backed up in a secure place and regularly tested for vulnerabilities, any disasters that do occur can be rapidly dealt with and you’ll have peace of mind that any lost data can be quickly replaced.