Cyber crime remains one of the foremost risks posed to the legal sector. Targeted attacks against businesses are on the rise, with 60% of law firms reported to have suffered an information security incident during 2018. In 2017 alone, no less than £11 million of clients’ money was taken. The threat is greater for larger firms, asserts Alan Calder, with 90% of the Top 25 law firms and 73 of the Top 100 having experienced a threat.
The primary threats to the legal sector are motivated by financial gain, so firms that deal with particularly sensitive client information also face a significantly greater risk. There are increasing instances of attacks sponsored by nation states, for example, as well as ‘hacktivists’ targeting firms for political purposes.
It’s this combination of confidential information and access to funds that makes the sector such an attractive target. Competition from new and agile players, as well as M&A activity and compliance requirements around the European Union’s General Data Protection Regulation, for example, have led to many firms embracing new technologies in order to streamline operations, increase efficiencies and ensure data integrity. However, with 55% of firms targeted by cyber attacks, and 16% of those targeted having faced significant attempts to break into their firm’s network, there’s a clear and present danger.
How, then, might today’s law firms ensure that they’re effectively protected against the threat of cyber attack?
Partner and management concerns
The issue of cyber security risk must become as embedded within strategy as operational risk. Too often, the topic is considered as an IT issue, but just one flaw in a firm’s defences could place the entire operation in jeopardy. Cyber security must therefore be a critical priority that’s promoted at all levels, from senior management all the way down.
However, the typical executive committee structure of a law firm could mean that implementing an effective strategy is more complex than is the case for the traditional Board set-up of other sectors. Often, without a single leader appointed to head up the strategy and decision-making achieved by consensus, committees can be less effective at implementation and follow-through.
So, instead of firms trying to deploy a cyber security strategy in-house, it makes sense for them to in-source the dedicated expertise of industry experts who can deliver a relevant and risk-appropriate cyber security strategy.
Given that lawyers are specialists in their field, it’s understandable that in-house technical expertise may be lacking and, while an in-house Chief Information Security Officer (CISO) may be appropriate for larger firms, the cost of having a dedicated CISO or team of cyber security experts can be prohibitive for many.
By their very nature, law firms are cautious, and particularly so when it comes to operational investment, but the sector must understand that security incidents are an ever-present risk. Organisations can, however, be prepared. Scoping a cyber defence strategy specific to the firm, with processes for implementation, will mean that an attack can be quickly identified, isolated and resolved.
In addition to appropriate defences, there’s a need for detailed, robust and well-tested business continuity plans and crisis management procedures to ensure that, if an attack penetrates the firm’s defences, the organisation is able to respond appropriately, contain the event and return to full operations as quickly as possible.
While law firms have not yet experienced the headline breaches that many other sectors have, they’re clearly not immune to the threat posed by cyber criminals. Their monetary losses have been severe. Threats experienced rose by 20% between 2017 and 2018. It’s imperative for firms to take action.
With a Cyber Security-as-a-Service model, law firms can in-source technical expertise rather than trying to tackle the ongoing threat themselves. With an effective cyber security strategy embedded as a trusted, cost-effective and workable core part of a given firm’s processes, the business can be freed up to concentrate on its work and be reassured that both itself and its clients are protected from cyber threats.
Alan Calder is Chief Executive of GRC International parent company IT Governance