Malware Attacks: Mitigating The Threat
The recent and widely reported international ransomware attack that affected - among others - the NHS, should serve to bring the issue of cyber security to front-and-centre for every business.
Whilst the disastrous impact of such an attack isn't hard to imagine, it can be a lot harder to know what to do to try to protect yourself and your firm from ransomware and other forms of cyber-criminality. Thankfully, there are a number of simple steps that you can take that will reduce your vulnerability to attack, and that will minimise the damage and disruption should you fall victim.
Keep up to date
First and foremost, you should keep all of your software patched and up-to-date, in particular operating system and other "mission critical" software. Whilst the constant cycle of monthly - sometimes weekly - updating can be tedious and inconvenient, keeping software updated ensures you have all of the latest security fixes installed.
In addition you should not run any operating system (OS) that is no longer supported by the manufacturer, for example Windows XP. Where the use of an unsupported OS is unavoidable - for example if you're running specialist "legacy" software or hardware that is not compatible with a more up-to-date system and for which no alternatives exist - the computer running the unsupported OS should not be connected to the internet nor to a local office / home network, and should be used solely for the purposes of running the legacy software and/or hardware in question.
Beware email attachments
One of the most common ways in which malware finds its way onto a computer is via infected email attachments, often referred to as phishing. Because of this, you should adopt a policy of never opening unknown or unexpected email attachments, even if they appear to be from somebody you know (that person may themselves be infected with malware capable of sending itself to everybody in the person's address book). In particular, never open attachments whose filename ends in ".zip", ".exe" or ".msi" unless you were specifically expecting to be sent that type of file.
Common Microsoft Office documents can also pose a risk if your software is not configured to ignore document macros by default. Macros are computer commands embedded within an office document, and are another known vehicle for phishing and malware attacks: if you open an infected Office document and its macros are executed then your computer - and possibly your entire network of computers - will be infected with malware of some form or other.
Use anti-virus software... but don't rely on it!
Ant-virus software has been a necessity for safe computing for many years, and most of us are well-versed in the annual chore of forking out for another year of updates and protection. Those updates are vital, however, because without them the anti-virus software will not be able to recognise newly discovered threats.
Unfortunately, one area in which anti-virus software is of little help is when it comes to blocking attacks that target previously unknown vulnerabilities (known as "zero-day" vulnerabilities): An anti-virus software developer has to identify and analyse a newly emerging threat before being able to write and distribute an update that will protect against that threat. For this reason you should not trust all of your cyber security to anti-virus software.
Adopt a rigourous backup plan
The importance of keeping backups of your important data can't be stressed enough. Having safe, regular backups of your data means that - in the worst case scenario - you minimise the loss and disruption, whilst ensuring you'll be back up-and-running in as short a time as possible.
The backups themselves should be stored in two places, one of which should be off-site. The easy availabilty of online "cloud" storage and high-speed internet connections makes off-site storage much easier and more efficient than it used to be, and there are now many backup services available that offer a combination of both backup software and online storage for your backups. If using such a service, however, be sure that it has appropriate security and Terms & Conditions for your use-case; for example, if backing up business data then you are likely to require backup software and services designed with business users in mind.
For additional security you should encrypt your backups if your backup software provides this functionality.
Security through obscurity
The dominant position of Windows in the desktop computer market makes it a particular focus for malware attacks - hackers hunt-out Windows vulnerabilities simply because it maximises the number of potential victims. Other OS's are not invulnerable to attack, and all of the above recommendations remain relevant no matter what OS you are using, but the comparatively tiny user bases of these alternative OS's means there are far fewer malware variants that target them, and so far less risk of infection. Because of this, there are those who believe it makes sense not to use Windows in situations where it is not actually needed - effectively adopting a policy of "security through obscurity"; after all, non-Windows computers are impervious to Windows-targeting malware.
The most obvious alternative OS is MacOS, but this only runs on Apple hardware, the cost of which can make this an unattractive option. Less known are the many OS's based on the open-source Linux: Most are free to use (both in the sense of "free beer" and of "free speech"), and some, such as the excellent Linux Mint, are so familiar in their look and feel that those with experience of Windows have no difficulties adapting to it.
There is a version of Microsoft Office available for MacOS, but not for Linux. However, the Microsoft Office 365 web-based apps can be accessed from a Linux-based computer, and there are also a couple of fully-featured office suites - Open Office and Libre Office - that can read and write Microsoft Office documents and which are available for Linux, Windows and MacOS. Whilst these suites may not be quite as "slick" as Microsoft Office, they are able to read and write standard Office files, and many users find them to be more than adequate for their requirements.
Seek professional advice
Law firms in particular have specific duties and requirements to protect clients' data and confidentiality, and achieving a level of cyber security commensurate with these requirements will often require the input of specialist technical knowledge and know-how. There are numerous cyber security consultants and companies specialising in serving the legal sector, and a few hundred pounds spent now could save you thousands in the future.