With reams of sensitive personal data and transactions that involve large sums of money, the legal sector is undeniably a massive target for cyber crime. Cyber Security – A thematic review published in 2020 by the Solicitors Regulation Authority (SRA)reported the many costs of a cyber attack to a legal practice. Besides the obvious financial loss for both clients and practice (a loss of £4m client funds from 23 firms), the impact of a breach causes huge stress and damage to client relationships, increased insurance premiums and many indirect financial costs. For example, one firm lost around £150,000 worth of billable hours following an attack which crippled their system. pwc research showed that cyber security remains a key challenge for law firms and the sector is increasingly being targeted as firms hold both a wealth of sensitive data and large amounts of client money. Cyber risk was deemed the second greatest threat to law firms meeting and/or exceeding their ambitions, with only COVID-19 ranking higher. It has also been noted that SRA alerts for fraudulent activity are up 147% from the same period last year.
It is now widely recognised that cyber enabled crime continues to rise in both scale and complexity, with criminals taking advantage of our increased reliance on digital technology. Following the working from home norm during COVID, Many firms have adopted a hybrid work model that allows their staff the choice of flexible working. This means that today, many professionals work more than half of their working hours outside the security of the office network. Masters of opportunism, fraudsters can create scams overnight to take advantage of change. According to the SRA’s 2022 Risk Outlook Report, email-based fraud is the dominant method criminals use to access law firms’ systems and made up 83% of the reports the regulator received about cybercrime last year. Every day we read about another breach, or ransom attack to hit law firms yet, the real problem is likely to be very much larger, due to the typical under-reporting of cyber crime and secrecy surrounding cyber breaches in the legal profession. With this in mind, it is not so much if you have a cyber breach, but when and how serious.
What is Cyber Essentials and how can it help?
The National Cyber Security Centre (a part of GCHQ) introduced the Cyber Essentials scheme as part of its mission to make the UK the safest place to do business online, and to offer businesses a simple and affordable way to tackle cyber security. IASME is the Government’s Cyber Essentials partner, and responsible for delivering the scheme, with a network of nearly 300 expert Certification Bodies who are located all around the UK and Crown Dependencies. The Cyber Essentials controls help guard against the most common cyber security threats and certification demonstrates your commitment to cyber security.
Cyber Essentials will:
Help you to take control of your cyber risk
Although many legal firms outsource their IT support to third party providers and think that will take care of the problem, it must be emphasised that cyber security is not the same as IT and is not an IT problem. No matter who is looking after your technology, cyber security remains the risk and the responsibility of the senior management within your company and should always be a high priority.
The Law Society’s Lexcel Standard guidance to legal practices states, “Practices must have an information management and security policy and should be accredited against Cyber Essentials. “
IASME has created the Cyber Essentials guide to using a third party IT provider to help you manage the responsibility of your cyber security. A comprehensive list of questions is available on the IASME website for you to download or print off and give to your third-party provider. Ask your provider to return the answers and relevant lists to you so that you can check that your organisation meets the Cyber Essentials requirements.
Demonstrate your commitment to keeping client data safe
Reputation is a valuable asset and consumers are demanding evidence of a trusted, secure service provider for their sensitive data. They are increasingly aware of the threats from cyber-crime and they do not want their username/passwords compromised or their data stolen or their account hacked. Organisations need to show that they are taking cyber security seriously.
The demand for comparison websites is rising with 30% of consumers saying that they shop around before choosing their legal services provider, and 45% that they would turn to online comparison tools to help them compare providers. Reputation continues to be the primary consideration when choosing a legal service provider. By achieving Cyber Essentials certification, you can prove your commitment to cyber security and stand out from your competitors.
Provide a level of Cyber Liability insurance
If your firm is UK-domiciled with a turnover under £20m and you achieve Cyber Essentials certification covering your entire organisation you will be able to opt-into the included cyber liability insurance. This does not involve any additional cost or forms. The insurance cover includes a 24hr technical and legal incident response service. Professional indemnity polices that used to protect law firms if they suffered a cyber breach are now changing their terms to restrict cover due to the high number of claims. Getting certified is a straightforward way of demonstrating to your insurance company, your business associates and your customers that you take cyber security seriously and have your house in order.
Many legal firms find they have got all of their resources tied up running the practice rather than focused on IT and cyber security. The barrier to understanding things associated with technology can also be a significant hurdle for firms in starting their essential journey into cyber security.
Until recently, much of the general cyber security information and guidance assumed a good level of IT knowledge. Firms haveasked for a tool that can help them review their current level of protection and to obtain targeted advice on next steps. IASME responded to this need by developing the Cyber Essentials Readiness Tool, a free online tool with basic level guidance on the five key technical controls and related topics written in ‘plain English’. This tool is free of charge and accessible in the form of a set of questions on the IASME website. The process of working through the questions will inform an organisation about their own level of understanding and what aspects they need to focus on. They will be directed towards appropriate guidance and, based on their answers, be presented with a tailored action plan and detailed guidance for their next steps towards certification.