How law firms can tighten their cybersecurity with the right leadership
- Find out if your firm can demonstrate that it is operating to SRA standards and guidelines
- Ensure your firm has oversight and understanding of the security threat landscape
- Check that all staff have an awareness of the risks, are appropriately trained and periodically tested
- Check your firm has essential measures for protecting data (encryption, mobile security, antimalware email hygiene)
- Ensure that your IT systems are securely configured (Cyber Essentials assessments are just £300)
- Make sure that IT systems are on supported versions and regularly patched to avoid known vulnerabilities.
Law firms are in the digital crosshairs of hackers. LexisNexis found that in 2017, 30% of law firms are on the receiving end of attempted cyber attacks on either a weekly or monthly basis, while astonishingly 12% claimed they are recipients of attacks daily. Researchers also found nearly 1.2 million email addresses and credentials from 500 of the UK’s top law firms on the dark web, this may not be so surprising, given that in the leadup to the GDPR deadline, PWC found that only 13% of practices were compliant.
But why are hackers targeting lawyers? Other than the obvious case for demanding or stealing cash, the sensitive nature of the data held, for example iron-clad legal issues relating to client confidentiality, is highly valuable market data. Firms who specialise in patents, intellectual property law and M&As possess valuable information for insider trading. It appears a perfect storm has arisen for the legal industry, with slack cybersecurity credentials and a wealth of useful data for hackers.
The probability and repercussions from an attack can vary. According to the National Cyber Security Centre, 52% of small firms and 66% of medium firms reported a breach in the last 12-months, costing them £1,380 and £3,070, respectively, with the most common breaches being fraudulent emails, swiftly followed by viruses, spyware and malware. However, the real cost is harder to calculate. Irrespective of the incident, the impact can be catastrophic as law firms trade on trust (see Mossack Fonesca). With the odds against us in a cyber breach, it may seem as if we have no hope. According to The Lawyer, clients are increasingly accepting that even the best-managed firms can fall victim to a cyber incident, but are less forgiving of an inadequate response. However, it is best to avoid them in the first place.
The TED talk below offers some insight into the world of cybercrime.
One of the most effective methods to prevent a cyber incident is to ensure staff are trained in the basic cyber protocol, everyone from managing partners to temporary workers. Making sure cybersecurity training is part of a new starters induction training is advisable, and ensuring this happens when the employee starts and not a few weeks after. Senior leadership should set an example for the rest of the firm by attending, adhering to and promoting good cyber behaviour. The ICO will also look for evidence that training has happened, even if it’s minutes from a 1-2-1 instruction desk side. 91% of all attacks exploit people in one way or another (through bogus-boss emails or staff accidentally downloading malware), so training your staff in avoiding an attack in the first place is invaluable.
Creating a security culture
Following industry standards and implementing security awareness training can strengthen your organisation’s resilience to an attack. Designing a culture around cybersecurity builds a strong defence and is reaffirming. ISO 27001 can ensure the firm adheres to a set of standards which helps organisations keep information assets secure. Attaining the National Cyber Security Centre’s Cyber Essential’s accreditation is becoming a popular solution and will also help with GDPR compliance (contact us to find out more about Cyber Essentials). Attaining these industry standards can also help attract new clients who require such competencies from their suppliers for their security needs.
Staying ahead of the curve
Not investing in your IT can be a false economy. The NHS WannaCry attack was a result of many NHS trusts using outdated operating software or using old versions of Internet Explorer. The Petya ransomware attack affected some multinational law firms who were also using outdated operating systems in different countries. Every day new threats emerge. Updating and patching your software regularly ensure you have the latest security defences on your machines.
Managing Cyber Stakeholders
In small to medium-sized law firms, often the IT Manager will face day-to-day challenges focusing on delivering on the operational needs of the firm, in smaller firms, there won’t be an IT Manager. Often it is difficult for these size firms to defend against the sophistication of modern threats. In these cases, managing your relationship with your IT provider is paramount to ensure that your firm is secure. Ensure you and your IT provider have a strategy in place, so the IT Manager can focus on solutions to deliver productivity and increase billable hours.
A legal leader must focus on two areas of cybersecurity; people and technology. Strong leadership demonstrates the strength of the firm to your employees and the market, failing to do so will acheive the opposite.
What to do next:
Find out if your firm can demonstrate that it is operating to SRA standards and guidelines Ensure your firm has oversight and understanding of the security threat landscape Check that all staff have an awareness of the risks, are appropriately trained and periodically tested Check your firm has essential measures for protecting data (encryption, mobile security, antimalware email hygiene) Ensure that your IT systems are securely configured (Cyber Essentials assessments are just £300) Make sure that IT systems are on supported versions and regularly patched to avoid known vulnerabilities