The Access Group blog: Cyber-security for law firms – everything you need to know for 2022
The Access Group has published a blog on the subject of cyber-security for law firms – everything you need to know for 2022.
Cyber-criminals mean business and it seems increasingly that their most attractive prime target is the law firm. For this reason, as a priority, Access Legal regularly runs cyber-security events and panel discussions with law firms on the topic of Cyber-Security.
Here are some law firm cyber-crime statistics from the Solicitors Regulation Authority (SRA), from their recent visits to 40 practices where they carried out thematic reviews covering cyber-security:
- 75% of law firms visited reported having been the victims of a cyber-attack
- For 23 of those that were directly targeted, over £4m of client money was stolen
- Half of the firms were found to have allowed unrestricted use of external data storage media
- 25% of firms are not encrypting their laptops.
It is becoming increasingly challenging to protect your business from cyber-attacks. Today’s cyber-criminals are progressing rapidly in terms of sophistication. A 2016 BT-KPMG report talked about the ‘industrialisation of cyber-crime’ having seen clear evidence that today’s cyber-criminal works for complex operations akin to businesses, with human resources departments and budgets for research and development. And things have moved on even further since then. They mean business.
The pandemic has only heightened the cyber-threat to law firms
The pandemic has only worsened things. With the overnight homeworking revolution last year and all the added cyber-challenges that came with it, including a deluge of Covid-related scams, law firms with the nature of the data they hold, need to be more on-the-ball than ever.
The reputation of the firm is at stake
It goes without saying that the professional reputation of any law firm plays a critical role in their continued success, attracting clients and long-term relationships, which of course are the life-blood of legal practice. American business magnate, investor, and philanthropist, Warren Buffets is famous for saying, “It takes 20 years to build a reputation and 5 minutes to ruin it.” Never has this statement been more pertinent, in the face of the daily cyber-threats faced by all businesses, especially the legal profession.
What law firms can expect from this blog
For the unprepared, there is no doubt the threat of cyber-crime to law firms is a minefield. As a group of legal IT professionals, many of us whom have been working with leading law firms for 30+ years, we have grown alongside our law firm peers, learning and tackling together the legal profession’s mounting cyber-security challenges as they have increasingly grown in seriousness year-on-year. We thought it would be useful, to map out what we believe are the main cyber-security considerations for the next 12 months.
As we have begun 2022, we believe law firms must not only be sure that they themselves are doing all they can to protect their clients’ assets, data, and the firm’s reputation – but also that their trusted technology partners and software suppliers are on-the-ball with cyber-security too. We also believe it is important that firms consider the bigger picture in terms of what the threat of cyber-crime can do to law firm culture, and also take heed from the experiences of others across the legal landscape, especially learning lessons from those firms that have suffered the consequences of not acting soon enough to bolster their cyber-security.
6 key lessons we can learn from the cyber security mistakes of other law firms
The mishaps of some law firms in terms of their cyber-security shortcomings have been well documented. Rather than risk the pain of a cyber-attack yourselves, it is sensible to keep an eye on where others are going wrong and heed their lessons learned.
The SRA advised law firms that “it may be better to ask when, not if, you will be targeted by online criminals” and they published their latest report on the thematic review of cyber-security, after visiting 40 law firms and recording their detailed findings in September 2020. The thematic review aimed to find out the main reason(s) why law firms were failing to address cyber security risks, so they could provide support.
From the sample visited, it is clear to see that most were following best practice and keeping their firms secure; however, it is useful and interesting to study the failings of some that were uncovered, and to look at how and why the problems occurred:
1. Continually bolster your policies and controls
Every law firm today should have a robust cyber-security policy in place. Just under 75% of the 40 firms visited by the SRA for thematic reviews were found to have adequate cyber-related policies in place, leaving just over a quarter needing to put in more effort in terms of improving their cyber-security situation. Many of the tips in this blog will help firms consider the basis for putting in a new cyber-security plan, as well as for bolstering existing policies and controls. This is an activity that should be front of mind continually. Also robust templates for cyber-security policies are available from Access Legal’s Digital Learning & Compliance team.
2. Make sure your cyber-security training is up to the mark
With 20% of the firms visited by the SRA, for the recent thematic reviews, having never provided staff with specific cyber-training and 50% having provided it but not recording details and evidence of the training, it was reported that there is room for improvement here. Of course, training of this nature is paramount to enable individual solicitors and their firms to be able to sign-off their competency statements. The training records are required as proof that the law firm workforce, as a whole, is equipped to act in the best interests of clients and to protect clients’ assets and their money. Access Legal’s digital Learning & Compliance team offers comprehensive cyber-security training programmes specifically for law firms.
3. Take data storage and encryption seriously
Half of the 40 firms visited by the SRA were found to have allowed unrestricted use of external data storage media, with 25% of firms not encrypting their laptops. The SRA recommended that it is essential policies and procedures reflect the risks posed by allowing staff to use external storage media in terms of exposing the firm and its clients to viruses but also the risk of compromising client data. Of course, a lack of encryption is particularly risky for the safe keeping of client data for staff working on their devices at home, out of the office or travelling with them on public transport.
4. Log and report any cyber-security incidents
During their thematic review visits the SRA found that seven significant incidents had not been reported to the body which should have been. A further 24 firms had not kept specific logs of cyber-incidents. Some firms said they had kept details but were unable to produce them when asked to do so by the SRA, exposing themselves to potential action for misleading their regulator.
5. Set a cyber-security budget for the firm
Setting aside a budget for specific cyber-security risk areas is a sure sign that a firm is taking cyber-security seriously. The SRA Thematic Review found 5 of the firms visited actually had cyber-security budgets in place. The SRA questioned whether firms are presently seeing cyber-crime as a high enough priority.
6. It really helps to regularly share real life stories with your staff
Sharing real-life examples of what is happening within live law firms is one of the best ways to emphasise the importance of cyber-security to your workforce, and the role each person in your team must play to keep the organisation safe from these so-called ‘hactivists’.
The SRA is a good source and watch out for news about law firm mishaps in the Law Society Gazette. The National Cyber-Security Centre is another trusted resource, and it has an excellent news page highlighting what is happening in the world of cyber-scams.
Another trusted resource law firms can tap into of course is Access Legal’s Digital Learning & Compliance team, who offer a number of cyber-security related tools you can rely upon, and are continuously adding new resources for law firms to keep up-to-date and relevant. It is worth visiting this page regularly to remain alert of the threats businesses and individuals are facing, and encourage your staff to do the same.
Kindly shared by The Access Group
Main photo courtesy of Pixabay