The average lawyer does not have the time to spend nights worrying about the efficacy of firewalls, the threat of malware, or password strength. But the recent rise in cyber-attacks on law firms signals a critical moment for understanding the scale of risk that the sector faces. While lawyers are specialists in their field, not many identify as specialists in security.
Why are law firms targeted?
The legal sector has vulnerabilities embedded in its everyday workflows. From bank transfers and automated identity checks, to emails that carry clients’ personal information, law firms across all facets of the legal sector routinely handle sensitive data online. Online working has only intensified during the COVID-19 pandemic.
According to the latest report from the Solicitors Regulation Authority, a broad range of approaches are taken by attackers when targeting the law sector. But these are also bound to everyday workflows and processes, such as email modification, spyware, ransomware and gaining remote access to a firm’s system.
While technology is just the means, individuals are the entry for many fraudsters. Cyber attackers use technology to trick people into sharing confidential information and hand over access to accounts, usually through manipulation. The biggest vulnerability facing law firms is the knowledge and behaviour of staff.
Yet in the same report, the SRA found only two-thirds of staff in the firms surveyed claimed to be ‘knowledgeable’ about cyber security and IT issues. Most troublingly, senior figures were either unable to answer basic questions, or had knowledge but did not share it in order to foster a wider company culture.
Attackers exploit well-known coping strategies, and a fast-paced law firm can easily overlook this risks, coasting along on short-term survival mode. Law firms are structured in a way that makes it easy for cyber attackers to target, yet company culture may not always reflect an awareness of this.
A Cyber Essentials certification covers the basic technical controls that will help prevent the most common, commodity attacks. As the SRA report shows, Cyber Essentials is a great place to start for the legal sector: it provides the foundation practices that secure Internet connections; passwords and secure configuration; access control; malware protection and software updates. It is understood that a busy solicitor’s office has little time for combing through complicated jargon, Cyber Essentials provides that first step in demonstrating cyber security.
Cyber threat leaves law firms financially at risk
Organisations and practitioners across all sectors of the legal profession have had to deal with relentless risk while also keeping afloat during the pandemic. As scam alerts targeting law firms have doubled since the start of 2020, the legal sector has dealt with huge financial impact. As reported by the Solicitors Regulation Authority, a total of £4m was taken from 23 out of the 40 firms asked. But while most of this is claimed against insurance policies, there is usually a percentage that must be repaid using the firm’s own money. In this example, £400,000 needed to be repaid directly from the organisation’s own account.
In the Annual Law Firms’ Survey 2020 from PwC, reports of anxiety around meeting business expectations were clear. Participants stated that cyber risk is the second greatest threat to law firms meeting their ambitions from now until 2022, behind only COVID-19. As is becoming the case in every sector, cyber security and business strategy are becoming increasingly interwoven.
In a sector where the guideline national hourly rate for a solicitors’ services can range from £110-£420, the indirect impact of loss of billable hours is also an impact on immediate business plans.
It isn’t just a law firm’s time and money that is at stake – it’s also reputation
The effect of a cyber breach for a law firm goes well beyond the immediate financial costs: loss of client data also means a loss of trust and efficacy. In a sector where word of mouth, reliance on prestige and the upkeep of reputation is paramount to good business, compromising client data isn’t just a breach of security, it’s a breach of trust.
The fact that law firms protect both clients’ funds and client data presents a unique opportunity for cyber attackers. As reported in the SRA review, while cyber-attacks can deliberately target specific individuals and client money, firms have also been victims of attacks designed to harvest and control a law firm’s data. Legal practices have a statutory duty to protect data from loss, damage and unlawful processing.
The Hiscox Cyber Readiness Report 2021 shows that organisations which successfully put cyber security measures into place, also spend less time and money in the aftermath of a breach. The same report also highlights a rise in awareness of cyber security, which correlates with a rise in firms taking responsibility and generating resilience. Law firms are beginning to realise that understanding effective cyber security also means providing clients with a level of protection. If reputation is key in the law sector, then those competitors with certification are not free from risk, but they are more likely to recover. Your competitors will not simply need to spend less time and money, they will be more likely to secure their reputation.
Cyber security practices are successful when embedded into a law firm’s company culture
An ability to assess a risk and create an environment where risks are actively anticipated, and their mitigation embedded into company policies, is important. The first step to reducing cyber risk is for firms to understand the kinds of risks they face.
According to the SRA, law firms are likely to outsource their IT support, but a basic understanding of cyber security at all levels is becoming an increasing necessity. The biggest vulnerability most firms will have regarding cybercrime, according to the SRA, lies in the day-to-day practices and awareness of their people. Most firms believed that staff were their greatest cyber security risk: distracted, inexperienced, disgruntled staff can be the gateway to business-threatening cyber security attacks.
The services offered to law firms from external IT companies vary from occasional, ad-hoc support to complete reliance. But if law firms are outsourcing their cyber security, they are giving up on the important opportunity to empower personnel who will likely provide the best line of defence, as well as the biggest vulnerability.
With 20% of firms in the SRA report having never provided specific cyber security training to their staff, law firms are handing over management of their network to third parties without acknowledging that they still have ultimate responsibility for that network.
The importance of giving staff knowledge in an accessible way
The ability to identify and respond to a cyber-attack at all levels is one of the most important capabilities an organisation can create. In the SRA review, 68% of firms asked had a cyber disaster recovery plan in place. The ability to respond lies in preparedness: those firms who introduced measures to reduce future risks – including controls, processes and policies – were effective in 92% of the attacks investigated. On over half of these occasions, the cost of putting into place these controls cost less than the initial cost incurred by the firm from an attack. Findings from the Britain Thinks research conducted on behalf of the NCSC last year, confirmed that companies who had certified with Cyber Essentials were better able to identify a cyber attack and report that certification had a positive impact on their ability to reduce the risk of an attack and to respond and recover from a breach should it happen.
The SRA highlights that firms with Cyber Essentials Plus certification were more likely to have good policies and procedures in place. These firms were more likely to take effective steps to protect themselves from future cyber security incidents. Accessible certification can in turn help a law firm to define its culture, as gaining certification sets company-wide expectations and raises awareness among staff.
The IASME Governance standard is a comprehensive cyber security certification that includes Cyber Essentials but also incorporates an understanding of risk, staff training, business continuity planning and the GDPR requirements. Data privacy is very important to law firms and IASME Governance is the only in depth certification in the UK that demonstrates that a firm is meeting their GDPR requirements.