This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Subscribe
Jean-Yves Gilg

Editor, Solicitors Journal

Smaller law firms are an easy target for cyber scammers

Feature
Share:
Smaller law firms are an easy target for cyber scammers

By

Preparing for the worst-case scenario is the best way to anticipate real IT threats, says Eleanor Kilner

Cyber risk and data
loss are fast becoming hot topics in risk management for law firms. The Cyber-Security Information Sharing Partnership (CISP) has recently warned smaller firms that they could be seen as an easy target for scammers attempting to obtain sensitive information about clients. “Scammers realise that larger companies have [dedicated] resources, so they are looking down the supply chain to smaller firms,” it said.

This came as the Solicitors Regulation Authority also warned lawyers not to open email attachments or links
from scam individuals and/or companies posing as the SRA
or the Law Society, purporting
to be about investigations.

Although phishing scams
are just one example, the cyber threat to law firms can come in various forms and levels of sophistication.

With increasing use of the cloud, and, particularly in law firms, the platforms used for e-discovery and data rooms, there has never been a better time to revisit policies and procedures to ensure that
they are up to date and fit
for purpose.

While breaching client confidentiality is a principal concern – not least because
fines by the Information Commissioner’s Office are uninsurable – other implications such as loss of data and
network downtime need to
be considered among others.

Take, for example, a
solicitor who is working to
a disclosure deadline. The
list is almost complete but the firm’s e-discovery platform malfunctions. This could be down to a variety of reasons, such as malware, online activism or a bug.

Obviously, it is ideal to start working on a deadline early, but court directions can be tight and extracting data can take time.

Post-Mitchell, law firms
know that complying with deadlines is paramount and
the consequences on non-compliance can be devastating.

So, best practice for cyber activity includes the following:

  • Information risk management regime. Consider your governance structure and determine your firm’s risk appetite on cyber to produce supporting information for risk management policies. For those considering cloud computing, for some systems, the data security risks should be carefully considered together with issues of liability or indemnification and insurance in the event of a data breach. You may wish to limit classes of information available on the cloud.
  • Awareness. Produce user-friendly security policies and updates on cyber work, and provide mandatory training to all staff reminding them of data protection policies.
  • Secure configuration. Put systems in place to ensure that the secure configuration of all IT systems is maintained.
  • Network security and malware protection. Protect your firm’s networks against external and internal attack by producing relevant policy and, for example, establishing anti-malware defences that are applicable and relevant to all departments.
  • Control. Establish account management processes, limit the number of privileged accounts, and consider individual user privileges (particularly for external users).
  • Monitoring. It is also important to develop a monitoring strategy and produce supporting policies to maintain security.
  • Work away and removable media. Establish an up-to-date work-away policy protecting data and removable media both in the office, while travelling and when away from the office. You may wish to limit media types and use.
  • Incident management. Back up key data in multiple places and plan for worst-case scenarios by establishing an incident response and disaster recovery capability. This may be a joined-up approach between risk management and IT or may involve third-party support from an external provider.

Firms should establish policies for dealing with worst-case scenarios including back-upand incident managementthat are particular to the firm, their clients and their typeof work.

Of course, any associated breaches of client confidentiality must be reported to the COLP (who will decide whether to report to the SRA) and to your professional indemnity insurers.

As ever, having appropriate processes and procedures in place is key to ensuring the chances of cyber threat and/or data loss and its effect on your firm are limited. SJ

Eleanor Kilner is a solicitor at Weightmans

Ele