5 ways to overcome security challenges in the legal sector

With cyber-attacks on the rise, Nick Denning takes a look at how law firms can better protect themselves with Cyber Essentials and the right technology partner.

According to PWC, ‘cyber’ is the greatest concern on the legal sector’s risk list with 90% of the top 100 law firms worried about its impact on achieving future business objectives. Judging by research from other industry experts, these fears are real. Figures from the National Cyber Security Centre (NCSC) claim nearly 75% of the UK’s leading law firms have been affected by cyber-attacks while city-based chartered accountants Lubbock Fine reveals a 77% increase in the number of successful cyber-attacks in the sector.

Entrusted to safeguard highly confidential, commercially sensitive and often personal information, law firms are prime targets for cyber criminals with potentially devastating losses to revenues and reputation. What is more, the results of accidental internal data breaches can be equally as challenging.

Criminals attack because they want to steal money or steal things that they can sell for money. Criminals steal from organisations that are poorly protected because it makes economic sense to do so – and there is certainly no shortage of unprotected targets. The common saying “when being chased by a bear you don’t have to run faster than the bear, just faster than your friends,” springs to mind. Here are ways to help you run faster.

Why Cyber Essentials accreditation matters
The Law Society offers excellent guidance on how legal firms and professionals can protect themselves such as conducting regular reviews of finance and IT assets, creating a response plan, training staff and getting certified with Cyber Essentials. Cyber Essentials is a UK government-backed scheme designed to help all types and sizes of organisation protect themselves against common internet-based cyber-attacks. For legal firms, Cyber Essentials boosts defence mechanisms in the following ways:

Law Society recommends it for gold-star best-practice standard – successful firms and professionals attain the Lexcel legal practice quality mark for client care, compliance and practice management – and achieving Cyber Essentials accreditation is an important part of the process.
Public sector supply chain requires it – handling personal data of Government employees and citizens is of paramount importance, so for law firms providing services to the public sector, Cyber Essentials is an essential requirement.
Reduces insurance costs – insurance is vital but obtaining cover for cyber security involves answering a myriad of due diligence questions. With Cyber Essentials, the process is much easier, faster and can ultimately reduce premiums. In fact, 92% fewer insurance claims are made by organisations with Cyber Essentials controls in place.
Competitive differentiator – cyber security is becoming a conscious factor in the minds of buyers. Being Government-backed, Cyber Essentials is an excellent way to demonstrate commitment to protecting client data, building trust and confidence. Sixty-nine percent of companies with Cyber Essentials accreditation believe it has increased their market competitiveness.
Fosters a positive security culture – from the top-down, Cyber Essentials unites people in the fight against cyber-attacks with positive outcomes for all parts of the organisation. The majority (85%) of users and 86% of senior managers say Cyber Essentials has increased their understanding of cyber security risks.

Risks legal firms face

There are a range of attacks that are not targeted. Malware for example circulates via emails and through dodgy websites. A person runs the risk of clicking on links on a web page or in an email and infecting their computer, and potentially the whole network. However, there are an increasing number of attacks targeting organisations. Mandate fraud for example is where victims are persuaded to change payment details. This is a particular risk to the legal sector where solicitors have transferred conveyancing funds to the wrong account.

Clients of legal firms are generally higher net worth people with more assets to steal. Therefore, such client lists potentially offer very valuable data for resale on the dark web.

A firm’s reputation for competence is a key element of trust between a client and the firm. If this is lost because of poor basic cyber protections that lead to successful attacks, which are then publicised, this can have a severe impact on future business.

Engaging staff

Now the importance of Cyber Essentials is clear and the first step is to identify who in your organisation is responsible for cyber security. Their responsibilities include conducting a risk assessment, creating and implementing an information security policy, purchasing and deploying appropriate technology or even changing the way the firm does business where current practices are too risky. Then a regular training programme should be introduced to maintain staff awareness. This ensures the importance of following the firm’s information security policy is understood and that incidents and near misses are reported so that everyone recognises the value of that policy.

An obstacle to investment is that cyber security costs represent money that cannot be distributed to a firm’s Partners. Demonstrating value for money is a key part of getting Partner buy in and to protecting the business.

Essential qualities to look for in a technology partner
The selection of appropriate technology is important for a number of reasons:

Coverage – it is important to have “all round defence” therefore focus first on purchasing a set of products that provide protection and mitigation across major risks.
Don’t stand still – threats change so monitor changing threats, be aware of any weak points and be prepared to invest further if changing threats warrant it.
Reduce your risks – Remove equipment or change processes that are risky. Remove poorly managed file servers by migrating to Microsoft 365 and cloud backup.
Monitoring – it is vital that you monitor how your technology is performing, and the level of threat you are facing. Detect and record successful attacks and near misses to justify your historic approach and future investment.
Comprehensive training – to ensure legal and support staff understand cyber security procedures and acquire the confidence to protect the practice against cyberattacks, all the while making the most of the technology platform and maximising return on investment from day one.
Vulnerability scanning – vulnerabilities are issues in code that can be used to gain access to stored data, introduce malware or even hijack entire networks. By working with a partner like Policy Monitor, law firms can rely on a team of dedicated experts to identify potential vulnerabilities and make meaningful recommendations for removing risk across their infrastructure.
Incident management – if attacked, how do you respond? Carrying out exercises to test your ability to recover is vital. Backup and recovery, and storing logs to support forensic analysis are examples of protections to put in place before an incident happens!
Third party support – it is important to have access to a network of advisors, to manage them effectively and to implement their advice in a considered manner to put in the appropriate protections at a reasonable cost to reduce the risk. If the worse happens that preparation will reduce the impact of an attack, and get your organisation back working promptly with minimum damage to your reputation.

Just part of modernisation of technology
I have already mentioned adopting Microsoft 365 to reduce the risk associated with unmanaged legacy hardware. Upgrading from M365 basic to Standard, Premium or Enterprise delivers a set of functionality that hugely enhances features such as data labelling, security within groups, creating Chinese walls within project teams as well as advanced controls and monitoring of data movement. All of these features are potentially of huge importance to legal firms holding price sensitive client data. It may well be that the migration of case management systems to products based on M365 will blend cyber security defences benefits with enhanced case management capability.

Policy Monitor

Policy Monitor is an IASME Certification Body that helps organisations maintain their cyber security best practice. It is an extremely cost-effective start to an organisation’s journey to Cyber Essentials certification because it helps an organisation build its information security policy, create the processes to implement it, select the technologies supporting those processes and facilitates interaction with advisors when third party support is required.

Public sector organisations may note that Policy Monitor was named as a trusted supplier on the Government’s G-Cloud Framework.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

5 ways to overcome security challenges in the legal sector

Our Mission

Our Services

Resources

About Us

Follow Us

Our Mission

Our Services

Resources

About Us

Follow Us