As an IT and Cybersecurity firm that specializes in serving law firms, we are often asked, "What can we do to protect ourselves from cybercriminals?" I love this question because it gives me the opportunity to pour out my heart in hopes that what I say will help someone to move their firm into a better position.

Here's my response, laid out in 20 actionable steps. Some of which overlaps last week's advice on how to stay safe during the holiday. As we explore these tips together, remember that knowledge is power, and every step towards cybersecurity is a step towards a safer firm. So don't be TOO hard on yourself if all of these are not currently in place. You do need them though!

  1. Educate Your Employees: The first step towards cyber safety is knowledge. Regular cybersecurity awareness training can drastically reduce the risk of falling victim to phishing scams and other tactics. I always emphasize that your employees are your first line of defense. You want it to be a strong one.
  2. Use Strong, Long, Unique Passwords: This might seem obvious, but it bears repeating - create strong, long, unique passwords for every account. You don't have to memorize these, use a password manager. Also, please don't store these in an document on your computer. I cringe when doing risk assessments for law firms and find that their passwords are in Word or Excel documents on their computer.
  3. Implement Multi-factor Authentication (MFA): MFA adds an additional layer of security, making it harder for unauthorized users to gain access. Don't make it easy for the hackers.
  4. Regular System Updates: Don't ignore those update notifications! Keeping your systems updated means you're protected with the latest security patches. I know, I know, that pop-up always shows up when you have 50 million browser tabs open (and need each and every one of them). I can relate but it's not worth the risk. Do the update and let that computer reboot if needed!
  5. Install EDR Software: Some of you thought I'd say Antivirus didn't you? Antivirus is not always effective towards new threats. Years ago, I would have said Antivirus and I'm sure it still has it's place but I prefer to implement EDR for our clients. It's more effective at detecting new threat actors and can identify suspicious behavior quickly and act accordingly.
  6. Firewall Protection: Ensure your network is guarded by a robust firewall to block unauthorized access.
  7. Regular Backups: Regularly backup important data such as your Office 365. If you fall victim to a ransomware attack, this helps to ensure you can recover your data without paying the ransom.
  8. Encrypt Sensitive Data: Encryption makes your data unreadable to anyone that's not supposed to have it.
  9. Limit Access: Only give employees access to the data they need to do their job. The fewer people who have access, the less risk of something falling into the wrong hands. Audit who has access to resources and make sure that as you're offboarding people, that all of their access is disabled. You'd be surprised at how many times people forget to do this.
  10. Secure Your Wi-Fi: Secure and hide your Wi-Fi network to protect it from unauthorized access. Avoid connecting to public wireless network without securing it.
  11. SASE: This enables fast, secure, and reliable connections to all of your company resources. With many businesses going remote, this is necessary and will make your life easier.
  12. Watch out for Phishing Attacks: Always be cautious of suspicious emails, especially those asking for sensitive information. Hover over links before clicking them and pay close attention to the sender's email address.
  13. Have an Incident Response Plan: Prepare for a breach. A well-thought-out incident response plan can minimize damage and recovery time. Every firm should have a plan in place. The day of the breach is NOT the day that you need to be planning for this.
  14. Vet Your Vendors: If your vendors have access to your data, ensure they follow strict cybersecurity practices. Research vendors before engaging with them. Unfortunately, every industry has bad vendors.
  15. Secure Mobile Devices: Mobile devices can be a weak link. Make sure they're secure and can be wiped remotely if lost or stolen. Otherwise, prohibit employees from accessing company data from their personal mobile devices.
  16. Dispose of Old Equipment Securely: Don't just throw out old computers. Wipe them clean first, and destroy the hard drive, so no data falls into the wrong hands.
  17. Monitor Your Networks: Regular network monitoring can help identify suspicious activity before it becomes a serious problem. Be proactive rather than reactive.
  18. Physical Security: Not all breaches happen online. Make sure your physical office space is secure too. Don't put sensitive information on sticky notes and don't leave your computer without locking it first.
  19. Regular Audits: Regular cybersecurity audits can help identify potential vulnerabilities and fix them before they're exploited.
  20. Hire a Cybersecurity Firm: Consider hiring a cybersecurity firm for a thorough, expert approach to your firm's security. It's not enough to hire an IT company. The company needs to be Cybersecurity focused. Don't be afraid to ask and have that conversation.

Remember, cybersecurity is not a one-and-done deal. It’s an ongoing, ever-evolving process. Every step you take is a move towards a safer, more secure practice. Be vigilant and informed.