It is fair to say that October 2015 will be remembered as a darker moment in the history of TalkTalk, a national provider of telephone and broadband services. The potential brand damage and loss of customer confidence inflicted by the cyber-attack, was further compounded when the Police announced that teenagers had been arrested in connection for allegedly outwitting the cyber security defences of a major corporation.
Digging for online gold While TalkTalk works to claw back credibility for its brand and win back the trust of its customers, this is a good time for legal firms to reflect on their own businesses’ IT security. While many hackers traditionally searched for weak spots that enabled them to gain access to financial assets – whether they belong to a corporation or an individual – increasingly, hackers’ main focus is the full remit of customer data from name, address, date of birth, employment details and so forth; all of which have become a highly valuable commodity on the internet’s black market. Legal firms of all sizes are particularly attractive to cyber criminals, not just because they offer a rich source of data about individuals, but also for the wealth of sensitive and confidential corporate information they are privy to. This could range from data relating to payroll, case notes to M&A information – in the wrong hands, this information is pure gold.
New solutions for a new age
While many larger firms recognise the risk – and their data’s attraction to cyber criminals – in my experience smaller firms could do more to respond to the risk. Unsurprisingly, many smaller firms do not have dedicated security personnel, which means that security runs the risk of being ‘something’ that ‘someone’ addresses once they have ticked off everything else – usually client-related – that’s on their to-do list. This model – and the security problems it encourages – is complicated further by some legal firms not embracing two factor authentication solutions. In an age when static passwords are no longer fit for purpose, it’s nigh on irresponsible to be so reliant on such a vulnerable method for protecting highly confidential assets, especially when customers expect the holders of their private data to have measures in place to keep their data safe. Therefore, the onus lies increasingly with those organisations to have security policies and procedures to ensure their security lives up to customer’s or client’s increasing expectations.
Closing the door to cyber criminals
For years, One Time Passwords (OTP) have proven to be a highly resilient and robust defence against man-in-the middle attacks. Yet even in this era of increased security awareness, some smaller firms have been reluctant to add this simple yet effective measure as a line of defence. Often, senior partners may have tried two factor authentication before and perhaps dismissed it as unnecessary because security threats then weren’t as prevalent as they are today. They may also be under the impression that it simply adds complexity to existing processes, or is difficult to deploy. The truth is of course very different, as two factor authentication has evolved to marry both convenience and security. More than that, it has evolved to take on board changes in the way legal professionals work, by offering them a solution that’s compatible with the device they’re working from, be it a mobile, tablet, laptop or desktop based PC, offering flexibility whether they’re securely accessing the company network from work, home or elsewhere.
There’s no escaping the fact that cyber attacks are not going to go away. Most experts believe that companies of all sizes will have either been attacked or are likely to be attacked in the near future and in the criminal’s quest for personal data, there is a very real chance attacks will escalate. Smaller legal firms shouldn’t wait for the legal sector to become a target before safeguarding their data; one way to beat the cyber criminals is to be one step ahead of them, a position that’s easier to be in when two factor authentication already forms part of your security arsenal.