Cyber-security for law firms: Everything you need to know for 2022 (Part 2 of 5)

Access Legal has written a five-part blog on cyber-security: Part 2 covers 6 key lessons we can learn from the cyber-security mistakes of other law firms.

The mishaps of some law firms in terms of their cyber-security shortcomings have been well documented. Rather than risk the pain of a cyber-attack yourselves, it is sensible to keep an eye on where others are going wrong and heed their lessons learned. The Solicitors Regulation Authority (SRA) advised law firms that “it may be better to ask when, not if, you will be targeted by online criminals” and they published their latest report on the thematic review of cyber-security, after visiting 40 law firms and recording their detailed findings in September 2020.

The thematic review aimed to find out the main reason(s) why law firms were failing to address cyber-security risks, so they could provide support. From the sample visited, it is clear to see that most were following best practice and keeping their firms secure, however, it is useful and interesting to study the failings of some that were uncovered, and to look at how and why the problems occurred.

1. Continually bolster your policies and controls

Every law firm today should have a robust cyber-security policy in place. Just under 75% of the 40 firms visited by the SRA for thematic reviews were found to have adequate cyber-related policies in place, leaving just over a quarter needing to put in more effort in terms of improving their cyber-security situation. Many of the tips in this blog will help firms consider the basis for putting in a new cyber-security plan, as well as for bolstering existing policies and controls. This is an activity that should be front of mind continually. Also robust templates for cyber-security policies are available from Access Legal’s Digital Learning & Compliance team.

2. Make sure your cyber-security training is up to the mark

With 20% of the firms visited by the SRA, for the recent thematic reviews, having never provided staff with specific cyber-training and 50% having provided it but not recording details and evidence of the training, it was reported that there is room for improvement here. Of course, training of this nature is paramount to enable individual solicitors and their firms to be able to sign-off their competency statements. The training records are required as proof that the law firm workforce, as a whole, is equipped to act in the best interests of clients and to protect clients’ assets and their money. Access Legal’s Digital Learning & Compliance team offers comprehensive cyber-security training programmes specifically for law firms.

3. Take data storage and encryption seriously

Half of the 40 firms visited by the SRA were found to have allowed unrestricted use of external data storage media, with 25% of firms not encrypting their laptops. The SRA recommended that it is essential policies and procedures reflect the risks posed by allowing staff to use external storage media in terms of exposing the firm and its clients to viruses but also the risk of compromising client data. Of course, a lack of encryption is particularly risky for the safe keeping of client data for staff working on their devices at home, out of the office or travelling with them on public transport.

4. Log and report any cyber-security incidents

During their thematic review visits the SRA found that seven significant incidents had not been reported to the body which should have been. A further 24 firms had not kept specific logs of cyber incidents. Some firms said they had kept details but were unable to produce them when asked to do so by the SRA, exposing themselves to potential action for misleading their regulator.

5. Set a cyber-security budget for the firm

Setting aside a budget for specific cyber security risk areas is a sure sign that a firm is taking cyber-security seriously. The SRA Thematic Review found 5 of the firms visited actually had cyber-security budgets in place. The SRA questioned whether firms are presently seeing cybercrime as a high enough priority.

6. It really helps to regularly share real life stories with your staff

Sharing real-life examples of what is happening within live law firms is one of the best ways to emphasise the importance of cyber-security to your workforce, and the role each person in your team must play to keep the organisation safe from these so-called ‘hactivists’.

The SRA is a good source and watch out for news about law firm mishaps in the Law Society Gazette. The National Cyber Security Centre is another trusted resource, and it has an excellent news page highlighting what is happening in the world of cyber scams. Another trusted resource law firms can tap into of course is Access Legal’s Digital Learning & Compliance team, who offer a number of cyber-security related tools you can rely upon, and are continuously adding new resources for law firms to keep up-to-date and relevant. It is worth visiting this page regularly to remain alert of the threats businesses and individuals are facing, and encourage your staff to do the same.

More cyber-security resources from Access Legal:

 

This is part 2 of a 5-part blog by The Access Group on Cyber-security for law firms.

 

Kindly shared by Access Legal

Main photo courtesy of Pixabay