News & Views

Cyber security awareness for law firm leaders

Over the last decade the cyber security landscape has changed significantly as bad players move away from scatter gun tactics aimed at large corporations towards more targeted and sophisticated attacks on small and medium-sized enterprises.

Cyber criminals are now targeting businesses who may not have deep enough pockets to invest in the very latest cyber protection systems and cyber resilience programs and more law firms are now finding themselves in the firing line.

Why are law firms such attractive targets for cyber criminals?

Law firms are in possession of substantial amounts of sensitive client information and often money and bad players target law firms to harvest this data, target this money and use law firms as a gateway to their clients.

Given that our code of conduct centres on protecting clients and their confidentiality, cyber security needs to be at the forefront of our minds.

What are the potential implications of a cyber attack?

The main implications of a cyber attack on a law firm include:

• An inability to trade: Being locked out of your own systems can prevent your firm from operating, with the consequential loss of trade.
• An inability to communicate: Having your email or network systems locked out means that you can lose the ability to alert or communicate with third parties.
• Regulatory action: Your firm, its partners, directors, and compliance officers can come under investigation and face potential penalties by regulators.
• ICO implications: The Information Commissioner’s Office may bring action for breaches of data protection.
• Legal action: Firm can be sued by clients for losses they have sustained and for failing to meet the standards required of a competent law firm.
• Reputational damage: The loss of intangible assets and reputation can seriously damage a law firm. Reputations lost are not easily recovered.

What does a good cyber plan look like?

Implementing a cyber hygiene plan is becoming integral to the performance of law firms. This can involve:

• Investment: Investing in a bespoke cyber security infrastructure and developing layers of appropriate technical security measures.
• Framework: Working towards a recognised security standard, such as the government’s Cyber Essentials framework. Even if you do not get the actual accreditation itself, using the standard as a baseline is a good start. Increasingly, clients, and particularly public sector clients, are now requiring some form of certification as a minimum.
• Culture: Embedding good practice and awareness into your firm’s culture will ensure that it is part of service delivery, rather than an after-thought or the concern of a single person or team.
• Contracting: Having cyber security requirements embedded in your engagements with client and your supply chain will engender an improved risk culture.
• Testing: Frequent penetration testing and controlled exercises can ensure that your measures are kept up to date and regularly maintained.
• Staff training: Having regular training will increase and maintain awareness across all levels of staff.
• Insurance: Having suitable cyber liability insurance will provide back-up, including risk mitigation, data and system restoration and potential cover for business interruption losses.
• Monitoring: We are seeing a move towards constant 24/7 surveillance covered by outsourced monitoring security operations centres (SOCs).

What does the future look like?

There is no doubt that data storage and data protection is key. It is anticipated that over the next 5 years over $1 trillion is due to be spent globally on building new data centres to house the sheer computational power required for the digital assets of the world. As cyber criminals become more sophisticated, protecting this data will require more effort and diligence.

Data protection, in the legal sense, is currently moving forward too. Here in the UK, the Data Use and Access Bill is currently being scrutinised through the legislative process and will see our first deviation from the UK GDPR and the Data Protection Act 2018. The issue of cyber security is so important that the draft bill has been updated to require businesses to publish their compliance with cyber resilience standards - without revealing your weaknesses of course!

During the Data Use and Access Bill’s discussion at the committee stage, the House of Lords noted the need for standalone legislation on this topic and the Cyber Security and Resilience Bill is likely to be published later this year. 

Educating your team

The largest risk for a law firm is usually the people within it.

Whilst a lot can be invested in cyber protection software and tools, it is important to have high cyber security awareness within the business. A recent survey from the Department for Science, Innovation and Technology (DSIT) revealed that 75% of the senior managers polled believed that cyber risk was not being appropriately managed in their business.
 
With malicious phishing emails becoming increasingly common, potentially putting your firm’s whole network at risk, internal awareness through training is now an essential part of a firm’s risk management.

Cyber liability insurance

The appetite for cyber liability insurance has increased within the legal sector. Such policies have become more sophisticated and intricate. It is important to ensure that adequate time is spent completing the proposal forms and sourcing the right market for your firm. Engaging a specialist insurance lawyer and insurance broker will maximise your chances of getting the right cover for business interruption losses as well as the technical and forensic support needed to perform a root cause analysis and assist with restoring and recovering data - things that some off-the-shelf insurance products may not include.

What price do you put on a good night’s sleep?

For further information, please email Mark Hughes, Philip Bowers, Natasha Lackner or Joshua Bates or call 0151 906 1000.