Cybercrime targets: The biggest cybersecurity weaknesses in law firms
Many UK law firms are failing to tackle their greatest risks to cybercrime, a Managing Partner survey has found. Manju Manglani reveals the biggest cybersecurity weaknesses
Eighty-seven per cent of law firms expect malicious hacking of confidential data to increase
in 2015, a Managing Partner and
Symantec survey has found.
Forty-six per cent of the 118 respondents said they expect the number of reported hacking incidents to increase moderately, while a further 41 per cent predict it will increase significantly.
The COO of a national law firm said his firm has defended itself against two attempted attacks in two months.
Commented the IT director at a national law firm: "Phishing, identity theft and hacking of client cloud-based email accounts are increasingly serious sources
of law firm business risk."
Warned a partner at an international law firm: "The information which law firms possess has not yet been the subject of any sustained attack, but with the increased use of remote working and cloud technology, it is a matter of time before they are targeted with a greater degree of focus."
Impact of cybercrime
Law firms which have strong cyber defences have a competitive advantage, according
to 53 per cent of respondents.
A further 48 per cent believe that cybersecurity will have an even greater impact on the legal profession in future.
Two-thirds of respondents recognise that cybersecurity breaches could materially affect the profits and reputation of their firm's business. A quarter agreed that it could leave their clients increasingly vulnerable to attack.
"Cybersecurity is already a sine qua non for any firm dealing with corporate clients or high net-worth individuals," suggested a senior associate at a national law firm.
"Firms will face a constant challenge in keeping up with the hacking community, and the financial and reputational risks to
a firm of a breach pose an existential risk
to most if not all firms."
Agreed a partner at an international law firm: "The impact to the law firm will be significant, irrespective of what data is lost in the breach - the fact that the breach occurred at all would be a significant dent to a law firm's professional reputation."
Added the IT director at a national
law firm: "Security will become a USP
for law firms."
However, the majority of respondents said only one person is currently responsible for managing cybersecurity in their firm.
The head of IT (60 per cent) was the most popular choice for managing the firm's defences, followed by the head of compliance (33 per cent) and the head of risk (31 per cent). Only 22 per cent said
it was the responsibility of the partners.
Cybersecurity needs to be on the radar of all members of the firm. However, less than a quarter (24 per cent) of respondents agreed that cybersecurity is everyone's responsibility.
"All staff have a responsibility to act sensibly to avoid breaches occurring," commented a senior associate at a national law firm. "If Sony can be hacked, so can we."
Managing staff risks
The Information Commissioner's Office (ICO) received notice of 72 data security breaches in the legal sector in 2014, of which only one was the result of data
being hacked maliciously.
The top cause of data security breaches was data being mailed, faxed or emailed to the wrong recipient in error (23 incidents in 2014). Many respondents to Managing Partner's cybersecurity survey expect this
to continue to be an issue in 2015.
Two fifths of respondents said they expect the number of reported incidents to remain the same, while 43 per cent expect it to increase moderately. A further 14 per cent expect the number of incidents due to this form of carelessness to increase significantly this year.
Indeed, the majority of law firms' data security breaches last year were due to human error rather than hacking, according to ICO data.1
Most respondents to Managing Partner's cybercrime survey agreed that staff pose a risk to their firm's cybersecurity defences, although opinion varied as to the level of that risk.
Just over a quarter (26 per cent) said staff are their firm's biggest risk; a further 47 per cent said they recognise staff as a risk and that their firm needs to improve its security training.
Four per cent admitted their staff are not following existing and adequate security processes, while two per cent agreed with the statement "they're no risk at all".
Only 21 per cent are confident their firm has strong training in place to manage the issues and believe staff are "not much of a risk".
Strong technology defences are critical to cybersecurity, but they are only part of the answer. Regularly-updated internal processes and training are also necessary to maintain a firm's defences.
"I'm assuming that the firm takes 'state of the art' measures to protect the firm's and client's data, but even this cannot provide 100 per cent security," commented a knowledge development lawyer at an international law firm.
Added the head of risk at an international law firm: "Behaviour will usually trump systems, which is why equal emphasis has to be given to both. Clients don't help either - procurement insisting on one thing and the people instructing us telling us not to do it."
Clearly, better client communication is needed, as is continuously-updated staff training on data security.
Commented the managing partner of a regional law firm: "Staff are the biggest risk simply because they are operating our systems and exposed to approaches from outside on a constant basis."
She noted that the firm provides mandatory training at least every six months for all staff and always cover this as part of risk management.
Even when technology systems are up to date and training programmes are run regularly, firms are still at risk of cybercrime.
"Even with the best systems and even with the best training there is always scope for something to be more than it appears, for staff to click it and for our systems to
fail to stop its execution," commented the
IT director at a national law firm.
Managing IT risks
Law firms cannot afford to be complacent about their cybersecurity protocols, Managing Partner research has found.
Last quarter, five global law firms were hit by cybercrime in the UK. Scam alerts issued by the Solicitors Regulation Authority (SRA) were up 46 per cent quarter-on-quarter, suggesting an alarming trend. In September, the SRA issued 21 scam alerts, up 62 per cent on the previous month.2
While investing in training and technology is critical, so too is ensuring
all staff are using the firm's secure technology systems.3
"The ongoing reliance on insecure email as the primary business communications mechanism is a major challenge to preserving security," commented a senior associate at a national law firm.
One way to manage this risk is to introduce a secure filesharing system,
as RPC has done, so that lawyers stop using email as their primary means of sharing large files.4
Suppliers to law firms will need to demonstrate that they have secure systems in place to manage cybersecurity risks.
Many respondents said they are concerned about the risks posed by cloud technology providers (42 per cent), people/organisations connected to clients (36 per cent) and outsourced digital/secretarial services (22 per cent), among others.
Indeed, a recent Law Society panel suggested that technology providers pose a significant risk to client confidentiality and legal professional privilege because they often have free rein in how they manage metadata from lawyer-client communications.5
Improving cybersecurity in law firms
So, how should law firms plan to tackle cybersecurity issues in future?
The key is to "get up to speed and
stay up to speed", to "be vigilant" in monitoring new methods of cybercrime, to regularly update security training and procedures, and to make data security "everyone's responsibility", as respondents variously suggested.
"Constantly be abreast of the new threats; everyone must be prepared to adapt their favoured procedures to take account of new threats. Constantly be looking at new technology and software developments. Training, training, training of all staff [is needed]. Hold-third party providers accountable and include them in the training rolled out across the firm," commented the CEO of a London law firm.
Said a partner consultant at a regional law firm: "Buy the optimum affordable protection for hardware and software, raise awareness and train all partners and staff about the risks and, if possible, insure against crime and cybersecurity losses. This is going to be an increased but vital investment."
Law firms also need to be "proactively engaging with industry and client initiatives, especially around emerging risks", suggested a partner at an international
law firm.
Agreed the head of business projects at an international law firm: "Accept there is a threat and take active steps to educate staff, clients and suppliers as to the risks to help minimise impact. Put people, systems and processes in place to eliminate or reduce the risks. Keep all of this under continuous review."
While firms must be aware of the issues and have proportionate systems
in place to manage the risk of cybercrime, regulators also need to be clear on law firms' responsibilities, said the managing director of a local law firm.
"The risk cannot be eliminated and, commercially, that would not be viable,
so systems and risk balance are key,"
he added.
Said the managing partner at a regional law firm: "All we can do is ensure our systems are the best they can be, our procedures are solid and abided by, and all staff from the admin support to partners received mandatory training on these issues as often as possible."
Suggested a partner at an international law firm: "Proactive and paranoid is the safest way to deal with cybersecurity risk. Issues are not risks - they are risks that have manifested as reality."
Survey respondents
Managing Partner's survey on cybersecurity in law firms was conducted in conjunction with global technology company Symantec.
The survey received 118 responses between 24th August and 2nd October 2015, of which the majority (86 per cent) came from the UK.
More than a third (34 per cent) of respondents were at international law firms and 15 per cent were at national law firms.
A further 30 per cent were at regional law firms and 21 per cent were at local law firms.
Most of the respondents held a decision-making role, including CEO,
COO, managing partner, partner and
head of IT, risk or compliance.
Manju Manglani is editor of Managing Partner (www.managingpartner.com)
References
-
See 'Human error tops hacking as the biggest cause of law firm data security breaches', Manju Manglani, Managing Partner, 7 May 2015
-
See 'Five global law firms hit by cybercrime in the UK last quarter', Manju Manglani, Managing Partner, Vol. 18 Issue 3, November 2015
-
See 'Why lawyers refuse to use new technology', Manju Manglani, Managing Partner, Vol. 17 Issue 6, March 2015
-
See ‘Moving data: Introducing a secure filesharing system’, Julie Berry, Managing Partner, Vol. 18 Issue 2, October 2015
-
See ‘Legal privilege is being put at risk by unregulated access to metadata’, Manju Manglani, Managing Partner, 1 October 2015