Our articles are written by experts in their field and include barristers, solicitors, judges, mediators, academics and professionals from a range of related disciplines. Family Law provides a platform for debate for all the important topics, from divorce and care proceedings to transparency and access to justice. If you would like to contribute please email editor@familylaw.co.uk.
A day in the life Of...
Read on

Hundreds of thousands of companies worldwide fall victims to hackers every year. Is your firm one of them?

Date:3 DEC 2020



Image source: Information is beautiful

You and other lawyers and legal assistants in your firm likely have accounts on the hacked websites listed in the image above.

If a hacker wants to get into the emails and document management systems of a law firm, they don’t have to directly attack your IT systems. All they need to do is download a database of hacked passwords from a list of breached websites and search for your law firm in them.

Then, since people often reuse passwords, they can try some of the passwords used by your colleagues or you for these websites against your email server.  According to research by Google security engineers, 52% of people reuse passwords. If they used one password for LinkedIn, which was hacked in 2012, they might use a similar or even the same password for their corporate email!

There is a straightforward way to determine if your law firm has fallen victim to a hacking attack without your knowledge.

You can check your business email here: https://haveibeenpwned.com/ and your IT administration company can check the entire law firm’s records at https://haveibeenpwned.com/DomainSearch (it requires a bit more technical skills).

We have identified the problem. People do reuse passwords. Without any advanced hacking skills, anyone who can download a list of hacked passwords from thousands of hacked websites can try and succeed in 52% of the cases logging in to corporate email servers. 

Family Court Practice, The
Family Court Practice, The
Order the 2024 edition
Family Court Practice, The
Family Court Practice, The
Order the 2024 edition
Court of Protection Practice 2024
Court of Protection Practice 2024
'Court of Protection Practice goes from strength...

How do we solve it?

Password and access management is one of the 14 processes which encompass an excellent security program. Only a well-designed and well-executed information security program can lead to the assurance your law firm is safe from hackers.

The only way to ensure your firms’ reputation remains intact when keeping client data safe is to focus on building solid defenses and a solid information security practice.

If your colleagues are:

  • reusing passwords for everything
  • writing these passwords on post-it notes and sticking these on their monitors
  • using passwords such as YourFirmName123 or even Password123
  • writing all their passwords down in files such as passwords.xls

Then your firm is at dire risk of getting hacked or was hacked already without anyone noticing.

Fixing the problem requires a systematic approach: start with awareness first, proceed with technical measures, and complete the project by testing people’s understanding and practices.

Provide your firm’s team with a safe way to store passwords

Secure password managers are the only way to store passwords safely. They are also the only way to ensure people generate secure passwords for every IT system used in the firm.

When creating a new entry, every good password management tool suggests to generate a secure, complex password. The best thing is – people don’t have to remember all these complex passwords anymore or write them down, because they have them all stored in a password manager.

The good password management apps also have mobile clients and make it easy for people to access their passwords on any device.

Note: it is critical to protect access to a password manager well, with a minimum of 2-factor authentication. It will be a security disaster if someone uses a password manager to store access credentials to a dozen confidential systems and use their Facebook password as the only protection of the password manager itself!

Perform spot checks and regular reminder sessions

If you don’t verify that everyone in the firm is following best practices for password managers, people will fall back to their old habits of reusing passwords.

The only way to ensure safe credential management is through awareness and technical measures.

If you need someone to help you with this and the other 13 security domains, reach out to our information security consulting team.