Combating the Cyber Threat to the UK’s Legal Sector

Alan Calder

Alan Calder

Cyber crime remains one of the foremost risks posed to the legal sector. Targeted attacks against businesses are on the rise, with 60% of law firms reported to have suffered an information security incident during 2018. In 2017 alone, no less than £11 million of clients’ money was taken. The threat is greater for larger firms, asserts Alan Calder, with 90% of the Top 25 law firms and 73 of the Top 100 having experienced a threat.

The primary threats to the legal sector are motivated by financial gain, so firms that deal with particularly sensitive client information also face a significantly greater risk. There are increasing instances of attacks sponsored by nation states, for example, as well as ‘hacktivists’ targeting firms for political purposes.

It’s this combination of confidential information and access to funds that makes the sector such an attractive target. Competition from new and agile players, as well as M&A activity and compliance requirements around the European Union’s General Data Protection Regulation, for example, have led to many firms embracing new technologies in order to streamline operations, increase efficiencies and ensure data integrity. However, with 55% of firms targeted by cyber attacks, and 16% of those targeted having faced significant attempts to break into their firm’s network, there’s a clear and present danger.

How, then, might today’s law firms ensure that they’re effectively protected against the threat of cyber attack?

Partner and management concerns

The issue of cyber security risk must become as embedded within strategy as operational risk. Too often, the topic is considered as an IT issue, but just one flaw in a firm’s defences could place the entire operation in jeopardy. Cyber security must therefore be a critical priority that’s promoted at all levels, from senior management all the way down.

However, the typical executive committee structure of a law firm could mean that implementing an effective strategy is more complex than is the case for the traditional Board set-up of other sectors. Often, without a single leader appointed to head up the strategy and decision-making achieved by consensus, committees can be less effective at implementation and follow-through.

So, instead of firms trying to deploy a cyber security strategy in-house, it makes sense for them to in-source the dedicated expertise of industry experts who can deliver a relevant and risk-appropriate cyber security strategy.

Appropriate response

Given that lawyers are specialists in their field, it’s understandable that in-house technical expertise may be lacking and, while an in-house Chief Information Security Officer (CISO) may be appropriate for larger firms, the cost of having a dedicated CISO or team of cyber security experts can be prohibitive for many.

By their very nature, law firms are cautious, and particularly so when it comes to operational investment, but the sector must understand that security incidents are an ever-present risk. Organisations can, however, be prepared. Scoping a cyber defence strategy specific to the firm, with processes for implementation, will mean that an attack can be quickly identified, isolated and resolved.

In addition to appropriate defences, there’s a need for detailed, robust and well-tested business continuity plans and crisis management procedures to ensure that, if an attack penetrates the firm’s defences, the organisation is able to respond appropriately, contain the event and return to full operations as quickly as possible.

While law firms have not yet experienced the headline breaches that many other sectors have, they’re clearly not immune to the threat posed by cyber criminals. Their monetary losses have been severe. Threats experienced rose by 20% between 2017 and 2018. It’s imperative for firms to take action.

With a Cyber Security-as-a-Service model, law firms can in-source technical expertise rather than trying to tackle the ongoing threat themselves. With an effective cyber security strategy embedded as a trusted, cost-effective and workable core part of a given firm’s processes, the business can be freed up to concentrate on its work and be reassured that both itself and its clients are protected from cyber threats.

Alan Calder is Chief Executive of GRC International parent company IT Governance

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts