Cyber crime remains one of the foremost risks to the legal sector. Targeted attacks against firms are on the rise, with 60% of law firms reported to have suffered an information security incident during 2018, and in 2017 alone, £11million of client money was taken. The threat is greater for larger firms, with 90% of the top 25 law firms and 73 of the top 100 having experienced a threat.
The primary threats to the legal sector are motivated by financial gain, so firms that deal with particularly sensitive client information also face a significantly greater risk. There are increasing instances of attacks sponsored by nation states, for example, as well as ‘hacktivists’ targeting firms for political purposes.
It is this combination of confidential information and access to funds that makes the sector such an attractive target. Competition from new and agile players, as well as merger & acquisition activity and compliance requirements such as the EU GDPR, have led to many firms embracing new technologies to streamline operations, increase efficiencies and ensure data integrity. However, with 55% of firms targeted by cyber-attacks victims of viruses or other malware, and 16% of those targeted having faced significant attempts to break into their firm’s network, there is a clear and present danger.
So how can law firms ensure that they are effectively protected against the threat of cyber attack?
Partner and management concerns
The issue of cybersecurity risk must become as embedded within strategy as operational risk. Too often, the topic is considered an IT issue, but just one flaw in a firm’s defences could place the entire operation in jeopardy. Cybersecurity must therefore be a critical priority that is promoted at all levels, from senior management down.
However, the typical executive committee structure of a law firm could mean that implementing an effective strategy is more complex than the traditional board setup of other sectors. Often, without a single leader appointed to head up the strategy and decision-making done by consensus, committees can be less effective at implementation and follow through. So, instead of firms trying to deploy a cybersecurity strategy in-house, it makes sense for them to insource the dedicated expertise of industry experts who can deliver a relevant and risk-appropriate cybersecurity strategy.
Given that lawyers are specialists in their field, it’s understandable that in-house technical expertise may be lacking and while an in-house CISO may be appropriate for larger firms, the cost of having a dedicated CISO or team of cyber-security experts can be prohibitive for many. By their nature, law firms are cautious, particularly when it comes to operational investment, but the sector must understand that security incidents are an ever-present risk. Organisations can, however, be prepared – scoping a cyber defence strategy specific to the firm, with processes for implementation, will mean an attack can be quickly identified, isolated and resolved.
In addition to appropriate defences, there is a need for detailed, robust and well-tested business continuity plans (BCP) and crisis management procedures to ensure that if an attack penetrates the firm’s defences, the organisation is able to respond appropriately, contain the event and return to full operations as quickly as possible.
Whilst law firms have not yet experienced the headline breaches that many other sectors have, they are clearly not immune to the threat posed by cyber criminals and the monetary losses have been severe. Threats experienced rose by 20% between 2017-18, and it’s imperative for firms to take action. With a Cybersecurity as a Service (CSaaS) model, law firms can insource technical expertise rather than trying to tackle the ongoing threat themselves. With an effective cybersecurity strategy embedded as a trusted, cost-effective and workable core part of the firm’s process, firms can be freed up to concentrate on their work and be reassured that their firm, and their clients, are protected from cyber threats.
– Alan Calder, Chief Executive of GRC International parent company, IT Governance