Cyber Security in Law

With law firms increasingly moving away from paper documents and files to cloud-based systems in line with their digital transformation, cyber security has been thrown into sharp focus. Earlier this decade, hackers focused on long-term sophisticated approaches and targeted top 10 law firms looking to extract details using keyloggers and trojan horses. Now, however, hackers are much more opportunistic, often targeting small and mid-market firms to extract small amounts of personal information that can be utilised to compromise a transaction. If these confidential details leak, it can cause massive problems for both individuals and the businesses involved.

The Status of Cyber Security in Law in 2019

It’s clear that cyber security is becoming a more important issue for law firms this year. The cost of Business Email Compromise (BEC) fraud was £32.2m for UK businesses in 2016-2017 according to Action Fraud and global BEC scams will cause combined losses of over $9 billion by the end of 2019, according to Cisco.
In response to this, major law firms have partnered with the NCSC to create The Cyber Threat Assessment for the UK Legal Sector to share real-time information about cyber security risks. Although this has helped to reduce the threat towards larger businesses, smaller firms are still under attack and have become viewed as easier targets due to their less defined infrastructure and lack of specialist staff. As a result, it has become paramount for all law firms to educate their staff about the threats they face digitally.

The Five Biggest Threats Facing Law Firms in 2019


How can the C-Suite support Cyber Security in Law Firms?
As we’ve already addressed in a previous blog, cyber security is a massive issue for any business and the entire senior management team requires a meaningful understanding of the fundamentals. As law becomes more commercialised, Managing Partners are having to adapt and take on broader responsibilities, often moving away from billable hours and towards more conventional CEO responsibilities.

Although some leaders are aware of the commitments they need to make to ensure robust cyber security measures in their firm, too many still view cyber security as either a ‘nice to have’ rather than an essential, or worse, as a distraction from day-to-day business activities.
One good way that the C-Suite can directly assist cyber security is by adopting a social license to operate (SLO). The SLO effectively acknowledges that the law firm will take responsibility to upkeep practises and operating standards to operate responsibly, take care of its employees and the environment and overall be a good corporate citizen. Although it takes time to implement, the SLO can build a strong bond of trust between the business community, staff and stakeholders.

How can Law Firms keep on top of cyber security?

In terms of internal measures, senior members of the cyber security team need to be prepared to attend exhibitions, forums and training sessions to maintain ongoing education and improvement. The work shouldn’t stop at this point, however. It’s critical that the CISO or CIO pushes to implement a culture of understanding and awareness amongst staff and gets them to acknowledge their role and responsibility in keeping the law firm safe and secure. Internal training needs to be a frequent feature on the calendar for all staff, not just cyber security team members. Lawyers need to learn how to encrypt data securely, so if any information is stolen, it is still not accessible. 

Finally, the basic principles should be applied – passwords need to be secure and regularly changed, and all devices should be fitted with high standards of security including fingerprint identification where possible.

GDPR, Cyber Security and Law Firms

As already explained, the changes in cybercrime aren’t just due to hackers becoming more sophisticated and looking for opportunities to breach small and medium law firms. The ability to respond to cybercrime is essential for firms to ensure they don’t fall foul of further punishment thanks to the General Data Protection Regulations (GDPR). These four letters are arguably make up arguably the most hated topic in the European Union at the moment, with the exception of the ‘B Word’.

Although GDPR is to marketing teams what garlic is to vampires, law firms are also under pressure thanks to some of the legislative changes. 
Most prominently, a new 72 hour time limit now exists for reporting breaches to relevant authorities, including the ICO.. Appropriate cyber security staff should be in place to conduct forensic analysis on the breach and gather any evidence before it is lost or deleted, in case of legal ramifications. After all, it wouldn’t look good for a law firm to find themselves in court over a data breach!

The buck doesn’t stop with cyber security staff, however. The changing compliance laws due to GDPR need to be thoroughly understood so that all staff are aware of their responsibilities, both for their firm and customer.

Key Questions your Law Firm needs to ask about Cyber Security
  •  Do you have adequate measures in place to detect breaches within the 72-hour time limit? Do staff know their responsibilities in terms of contacting the ICO and affected customers?
  • Have you acquired a Cyber Essentials badge to assure your customers of your cyber resilience?
  • Is your technology up to date and secure? Have you checked all third-party integration and made sure there is no suspicious software or files included?
  • When did you last conduct a cyber security audit? Are your best practises up to date and suitable for your size of law firm?
  • Have you checked your legal staff have appropriate access to sensitive and non-sensitive data, in accordance to their seniority level?
  • Are your employees aware of the common scams – fake credentials, phishing emails and bogus information requests? Have you simulated cyber-attacks with your staff to help them decide what decisions they would make in real time?

At the end of the day, mistakes happen and no organisation can be impenetrable 100% of the time. What really matters is the preparation and response. Law firms are not going to be harshly judged by the majority if they do experience a cyber security attack, but they will be torn apart if they fail to deal with it in an honest, professional and timely manner. Whatever size your law firm is, you need to be aware of the key threats and manage them appropriately, ensuring staff follow the best practises defined by your cyber security staff team.

 If you don’t have any existing security measures in your law firm, or want to find out what roles would be critical for making an effective cyber team in your law firm, contact Via Resource today.

Managing Partners in law firms might want a robust cyber security solution, but how can you define the actions you will take? Read our previous blog to find out how Security Target Operating Models can guide you in defining your future cyber endeavours.