Bloomberg Law recently reported that Goodwin Procter was the latest law firm to fall victim to a data breach after one of its vendors was hacked. Cyberattacks on law firms and businesses have become increasingly common over the past few years, even more so with the onset of the COVD-19 pandemic. A recent study published by Hogan Lovells discovered that most businesses do not engage in a full data security review for their vendors and suppliers, often leaving them susceptible to data breaches. Remote work has also exacerbated this issue, as businesses are relying more than ever on technological capabilities in order to continue operations.
In light of the steady increase of cyberattacks on law firms and business, here are some specific steps that an organization can take to strengthen their information security systems and protect their data:
Issuing company-owned laptops and other technology with built-in approved and acceptable security measures to remote workforces, or requiring appropriate VPN connections from personal devices, are critical fixes to potential gaps in cybersecurity.
Companies should also continue (or in some cases, begin) using recommended security best practices with respect to both company-owned and personal devices. This could include the use of multi-factor authentication (MFA), strong password requirements for all enterprise applications, and policies against locally saving company materials to personal devices.
To safeguard employee (and client) communications to the greatest extent possible, businesses should sign up for (and pay for) enterprise solutions for videoconferencing and other communication needs and require employees to use only those authorized applications.
Now more than ever, training the workforce to detect and avoid cybersecurity threats is a critical piece of any information security program. Employees should remain vigilant against phishing attempts or other incursions into the company’s systems, particularly since remote work increases the threat of hacking with multiple potentially unsecured home networks. Employees should also be trained on the continued need to protect information relating to clients, customers, and other employees while working remotely.
Every business should also draft and regularly update the incident response plan they would use to respond to a security breach. In the event of a data breach during remote work, employees should know who to contact and which resources are still available.
We will continue to monitor developments regarding cybersecurity and data protection and provide updates as available.