A recent Gartner study indicated that 88% of board members classified cybersecurity as a business risk. This means that business leaders outside of IT are taking a more proactive role in ensuring their cyber resilience. Law firms are amongst those most highly targeted businesses due to the vast amounts of sensitive data held and large sums of money handled on a daily basis.
It comes as no surprise with cyber attacks hitting at an all time high. Late last year, GCHQ reported that ransomware attacks on British organisations doubled. Although they did not specify numbers, the £2.5 billion losses reported across the UK as a result of fraud and cyber crimes provides a clue towards the gravity of this issue. In the first half of 2020, nearly £2.5 million of funds held by law firms had been lost through cyber crime, over three times the amount reported in the first half of 2019.
The COVID-19 pandemic has provided the perfect storm for cyber crime with lockdowns and home working forcing businesses and individuals alike to become more dependent than ever on technology. The speed with which this change was required to take place left ill-prepared IT systems vulnerable to attack. Home working or a hybrid model has continued for many firms and therefore IT security remains a priority.
In the wake of increased frequency and heightened severity of cyber attacks against legal practitioners, the Law Society and Bar Council formed a Cyber Security Working Group in August 2021. The focus of the working group is on the maintenance of a level of cyber security appropriate to the high standards of client care required throughout the legal profession.
Why should law firms pay prompt attention?
In our last insight article, cybersecurity ranked as one of the top five trending topics this year.
The reason is simple but significant.
Between the reliance on technology and the abundance of sensitive information like intellectual property, M&A details and funds that law firms are entrusted with, there is no room for complacency about cyber threats.
While data breaches can be costly to remediate, it pales in comparison to a firm’s stability, integrity and reputation being catastrophically affected if they have been compromised.
Furthermore, firms are obliged to protect their clients’ information. The duty of confidentiality is one of the core professional principles underpinning the legal profession and is set out in the SRA’s Code of Conduct. In addition, under GDPR regulations, any cyber incident that results in a data breach must be reported within 72 hours of detection. A firm that is unprepared for this event will likely experience a major IT outage that leads to revenue losses and diminished client confidence.
Common cyber threats to law firms and how to mitigate risks
It is important to recognise that data breaches and cyber attacks don’t just happen themselves. 95% of data breaches are a direct result of human error. The most powerful line of defence against cybercrime is a savvy team who is well educated on cyber security threats. The NCSC is an excellent springboard for better cyber awareness with a comprehensive stockpile of educational resources.
It is not just the gullible that fall for phishing attacks. Perpetrators continue to be more adept in tricking recipients of their fraudulent communications to act on their instructions.
In a study last year, Terranova uncovered that 1 in 5 savvy employees clicked the malicious link.
While cyber awareness training is an invaluable tool to brace the team against such attacks, firms should also invest in a comprehensive managed security service to reinforce technological defences, email security and ensure minimal downtime in the event of an attack.
Receiving a lot of air time in recent years, Ransomware is by far the most aggressive and notorious form of cyber crime. Cyber attackers infiltrate a business and create a ‘lock’ on their important data until a ransom is paid.
While UK firms continue to pay some of the highest ransoms globally, it does not guarantee that an attack will not recur and the business data is safeguarded when “released” back to the firm. 80% of firms that paid ransoms actually get hit again by a subsequent attack and almost half of which have discovered that some, if not all their data that they have retrieved has been corrupted.
The NCSC provides ample guidance on mitigating malware and ransomware attacks.
Where to begin in mitigating risks
1. Make cybersecurity a priority
As cybersecurity is fast becoming a business risk, the responsibility to safeguard the firm against any attacks does not solely lie in the IT team. From computing infrastructure to staff behaviour and habits, cybersecurity risks can be mitigated with the correct policies and measures in place. In the SRA’s Thematic Review of Cybercrime (2020), it was discovered that more than a quarter of firms visited did not have adequate cybersecurity policies and controls in place.
Smaller firms who do not have an inhouse IT department can look to IT suppliers that are adept in scaling infrastructure and cybersecurity for their needs to avoid costly overheads to the firms.
2. Educate the team
As people are the first line of defence against cyber attacks. Regular cyber awareness training not only ensures that the team remains savvy against cyberthreats, the routine will help reaffirm that maintaining cybersecurity is a responsibility across the entire firm, not just the IT team. A fifth of firms visited by the SRA for their Thematic Review of Cybercrime (2020) did not provide specific training on IT and cybersecurity.
3. Brace for an attack
Many experts consider cyberattacks as an imminent threat to all businesses today. A comprehensive business continuity plan should really include a robust cyber incident response protocol. In the panic of discovering an attack, important actions can be forgotten. Having a well-thought-out protocol to follow can really help focus decision makers and can impact upon loss and recovery.
4. Don’t forget mobile devices
Mobile devices and IoTs are immensely convenient but they also create a bigger threat surface for the firm. Endpoint protection today should cover mobile devices and appropriate use policies should be in place.
Good practice identified by the SRA during its Thematic Review of Cybercrime (2020) included widespread use of anti-virus software, two-factor authentication for many sensitive interactions, regular backing up of data, and nearly a third of firms held specific cybercrime insurance.
Why this matters
Cybersecurity threats today are not just a matter of inconvenience or revenue losses. It impacts business stability in the long run and reputation. If you are looking to enter a merger, acquisition or hire an executive, the reputation of your firm may be amongst the most powerful currency you have in ensuring you have a lucrative outcome.
Furthermore, firms are under regulatory obligations to protect client data and client monies. A failure to take steps to mitigate the risk of cyberattacks will result in a breach of those regulatory obligations and potential fines.
On the pulse with mergers, acquisitions and executive search
Ortus Group has more than 17 years of experience in the legal sector with mergers, acquisitions and executive search. The team is trained to provide systematic guidance in what can be a fraught process to ensure smooth transitions for all parties involved and has advised on more than 50 completed mergers.
For more information on how the team can help, please do not hesitate to reach out to us.
Tenet Compliance & Litigation is a disputes and compliance law firm specialising in fraud and financial crime for our clients, both individuals and organisations, and for wider society. Whether you are looking to reduce exposure to fraud and financial crime, demonstrate compliance with a regulator, respond or investigate and recover losses from fraud, we have you covered.
For more information on how Tenet Compliance & Litigation can help, please contact us at firstname.lastname@example.org
To discuss this article or how we can help you, please click the link below