🔒 Cybersecurity for lawyers

• Secure your DNS: it's critical
• Host it (physically) in a suitable jurisdiction
• Keep your software up to date
• Encrypt traffic between your visitors and your website
• Take backups
• Be careful with contact forms and text entry fields
• Control who can post content to your website
• Your firm's website and Tor

Your website is important. But your DNS — the ability to point your domain name at a particular Internet address — is critical.

If someone has control over your DNS, they can redirect your website and, worse, your email.

Make sure you have admin control over your DNS settings, and that you cannot be locked out of them. If you have to give a third party (such as an IT service provider) access, see if you can limit the access you give them, and disable their account (or at least change the password) once they have done what they need to do.

Different countries afford different protections, so host your website on a server in a country which affords you sufficient protections.

If you are using a third party to host your website, they should be established in a safe country too.

If in doubt, hosting in the EU (including the UK!) is likely to be sensible.

Mythic Beasts offers UK-based hosting at reasonable prices.

The more complex the software stack on which your website is running, the greater the opportunities for bugs or exploits.

Keep an eye on updates to the software, and test and deploy quickly.

If you are using a third party to run your website, or you are hosting it on someone else’s platform, check out their policy on applying software updates. If you can, enter into a service level arrangement which sets out how and when they patch their servers, at both the operating system level and the application level (i.e. the web server software itself, as well as the software on which that web server software runs).

Just as you would look for a padlock on a website you are browsing, offer the same to your potential clients.

Doing this is easy and cheap (free, if you use Let’s Encrypt, for which there is the excellent certbot tool for configuration and management).

It is hard to see how you could comply with your legal and regulatory obligations if you did not do this if you collect personal data on your website (such as through a contact form).

Once you have set up this encrypted connection, change your website configuration so that visitors are automatically redirected to the secure version of your site.

Ensure you have an accessible, tested backup of your firm's website. If you update your site regularly, consider automating your backups, so that you don't have to think about it (if you have to think about it, you'll probably forget to do it).

If your hosting provider decides to close shop unexpectedly, you can get back up and running far more quickly if you have a tested backup available.

If you let people fill in forms, or submit information via your website, make sure you restrict their ability to enter things which would be problematic (such as loading content from other servers, or wiping your database). Example.

This is known as “sanitising inputs”.

If you've developed your own website, it's up to you to get this right. If you've outsourced the development, check with your web developer that they have this covered off.

Limit who can post content to your website as much as possible.

Give every person who can post content their own unique username, and the most restrictive set of permissions which let them do their job.

Make sure that access is secured by https.

If your web host offers it, enable two-factor authentication.

This is different from using Tor to protect your own browsing.

Unless your hosting provider has blocked it, your website is accessible by people connecting to it through Tor.

On the downside, this is a potential route for attacks, as tracking the origin of malicious traffic is made far harder.

However, if you value the ability to connect to websites via Tor, to protect your privacy, and particularly if you want to make your site available to potential clients who are accessing from a place where they cannot use the normal Internet to access it, permitting access via Tor may be sensible.

If you do want to block access for Tor, you'll need to have a regularly-updated block list, covering all the points at which traffic breaks out of the Tor network; these points are known as “exit nodes”.

A separate issue to whether you permit users of Tor to connect to your website is whether you make your website, or a parallel version of it, available within Tor.

For example, you can access decoded.legal's website directly within Tor:

dlegal66uj5u2dvcbrev7vv6fjtwnd4moqu7j6jnd42rmbypv3coigyd.onion

You can also access this site directly within Tor:

h7isucmawckzflxhipflydxvxpaytk5fozfk5immffg66rhboc74yxyd.onion

(If you try this, and it doesn't work for you, it probably means you are not connected to Tor, or you are not using a browser which recognises .onion domain names. It won't work in a normal web browser.)

It is not difficult to make your site accessible within Tor and it offers an added degree of privacy protection for your prospective clients.

If you let a third party run scripts when someone loads your website, you are exposing your visitors to the risk that those scripts are malicious or doing something unwanted. It is alleged that this was the mechanism used by criminals to compromise British Airways' website.

You may be able to use some server-based security settings (such as the Content Security Policy header) to lessen this risk.