Image source: Information is beautiful
You and other lawyers and legal assistants in your firm likely have accounts on the hacked websites listed in the image above.
If a hacker wants to get into the emails and document management systems of a law firm, they don’t have to directly attack your IT systems. All they need to do is download a database of hacked passwords from a list of breached websites and search for your law firm in them.
Then, since people often reuse passwords, they can try some of the passwords used by your colleagues or you for these websites against your email server. According to research by Google security engineers, 52% of people reuse passwords. If they used one password for LinkedIn, which was hacked in 2012, they might use a similar or even the same password for their corporate email!
There is a straightforward way to determine if your law firm has fallen victim to a hacking attack without your knowledge.
You can check your business email here: https://haveibeenpwned.com/ and your IT administration company can check the entire law firm’s records at https://haveibeenpwned.com/DomainSearch (it requires a bit more technical skills).
We have identified the problem. People do reuse passwords. Without any advanced hacking skills, anyone who can download a list of hacked passwords from thousands of hacked websites can try and succeed in 52% of the cases logging in to corporate email servers.
How do we solve it?
Password and access management is one of the 14 processes which encompass an excellent security program. Only a well-designed and well-executed information security program can lead to the assurance your law firm is safe from hackers.
The only way to ensure your firms’ reputation remains intact when keeping client data safe is to focus on building solid defenses and a solid information security practice.
If your colleagues are:
Then your firm is at dire risk of getting hacked or was hacked already without anyone noticing.
Fixing the problem requires a systematic approach: start with awareness first, proceed with technical measures, and complete the project by testing people’s understanding and practices.
Provide your firm’s team with a safe way to store passwords
Secure password managers are the only way to store passwords safely. They are also the only way to ensure people generate secure passwords for every IT system used in the firm.
When creating a new entry, every good password management tool suggests to generate a secure, complex password. The best thing is – people don’t have to remember all these complex passwords anymore or write them down, because they have them all stored in a password manager.
The good password management apps also have mobile clients and make it easy for people to access their passwords on any device.
Note: it is critical to protect access to a password manager well, with a minimum of 2-factor authentication. It will be a security disaster if someone uses a password manager to store access credentials to a dozen confidential systems and use their Facebook password as the only protection of the password manager itself!
Perform spot checks and regular reminder sessions
If you don’t verify that everyone in the firm is following best practices for password managers, people will fall back to their old habits of reusing passwords.
The only way to ensure safe credential management is through awareness and technical measures.
If you need someone to help you with this and the other 13 security domains, reach out to our information security consulting team.