Cyber criminals are opportunists and the legal sector can provide exactly what they are looking to take advantage of. Firms that manage activities with large associated financial values such as property sales, or mergers and acquisitions, are a prime target for cyber crooks who are looking for lucrative prospects. According to the NatWest 2017 Legal Benchmarking Report, in 2016 as many as one in four law firms in the UK were affected by cyber attacks.
Once hacked, law firms stand to lose their most prestigious asset: their reputation. Clients will switch firms even if they just sense that there is the potential risk of having personal data leaked. Data is money, and power. It has to be protected at all costs.
That is why companies operating in the legal sector must be vigilant when it comes to cyber security. Firewalls and antivirus systems may not be enough to ensure protection; clients are starting to become more involved and specifically ask firms to prove their cyber-security capabilities by requesting that periodic security audits and ‘ethical hacking’ exercises be carried out regularly to expose any weaknesses.
Law Firms Are The New Targets
In June last year global law firm DLA Piper was one of the unfortunate victims of the Petya ransomware attack, resulting in a complete company lock down. Over 3,500 lawyers in 40 countries were without phone access for 24 hours and without email access for six days. It took the company nearly two weeks to regain access to a large proportion of their documents and files.
Imagine the impact on you and your client base if that scenario played out within your firm? Yet it can be difficult to implement new cyber-security procedures within firms if senior partners do not adhere to them. For example, while firms may have policies barring the use of online storage services, such as DropBox, some partners continue to use them.
Hacking Is A Growing Threat
In 2014, 173 UK firms were investigated by the Information Commissioner’s Office (ICO), regarding a number of incidents that were suspected to have breached the Data Protection Act. A total of 187 incidents were recorded – 29% related to security and 26% related to the incorrect disclosure of data.
Firms of all sizes are becoming victims of this rise in attacks; however, small firms are becoming the easiest and preferred target due to a lack of resources to put security measures in place. With the majority of law firms falling within this bracket, the onus is on everyone in smaller firms to take cyber-security measures very seriously.
Invest In External Expertise
Outsourcing IT security is one extremely effective way to protect your firm from cyber crime threats. By giving the ‘worry’ to a technology partner with expertise in the legal sector, you can continue to focus on core business activities, confident that sensitive data is being appropriately stored, managed and protected within the perimeters of current, and future legislation.
Practise Vigilance On The Inside
Looking internally, one of the most important steps a law firm can take is to protect access to data i.e. ensuring access control so that staff only have access to the files they need rather than granting company-wide access to shared folders. Additionally, encrypting any information stored on removable media such as USB drives or portable devices, and considering the use of systems that eliminate the need for any files to be stored on portable devices, is critical for controlling how and where data is stored.
In addition to this, firms should be making sure that any device connected to organisational systems, including mobile phones and devices used by remote workers, are vetted for security. Are you making it too easy to quickly download all of your client information onto a hard drive? Or are you providing adequate controls to employees who are using their own devices to record client information, such as tablets and mobiles? Data transmission within and beyond the firm should be secure at all ends and access rights for staff who have left the firm should be revoked immediately.
Price Waterhouse Coopers also recommends taking other specific measures, including:
- IT Directors at law firms need to be mindful of how specific client data requirements are adhered to over the long term so that standards remain high.
- Global law firms needs to be able to satisfy global clients on a global basis. So, sharing information across a global network in a secure way is critical, as is ensuring that data protection policies in each region are adhered to.
Know Your Data
Finally, understanding what data you have, and where it is located is key. With so many easily accessible cloud storage tools and USB products available, it can be a huge task to even figure out where information is stored. Which applications are carrying which data? Who has used a USB stick to handle client data in the past year? Is anyone using Drop Box or personal Microsoft and Google accounts to share information or send files?
In addition to previous recommendations, it is also important to consider practices such as ethical hacking exercises, which are carried out from the inside to detect a firm’s weaknesses and uncover potential opportunities for hacking.