Cyber-attacks are becoming ever more frequent and ever more costly, with estimated annual losses from cyber-crime now topping $400bn (£291bn), according to the Center for Strategic and International Studies.
It follows then that risk management around cyber-crime is now a major issue for all businesses. Law firms are particularly at risk given they are dealing with so much confidential material, ranging from personal data, to trade secrets, to large financial transactions, through to the personal affairs of high profile clients.
The types of attacks experienced are diverse, ranging from “phishing” attacks, where criminals attempt to obtain access to confidential information or passwords, to through to “ransomware” attacks, such as the recent WannaCry attack on the NHS and many other organisations, where criminals hold your data to ransom by encrypting it and demanding money for its decryption. The motivation behind these attacks varies from quick money-making scams, through to much more sophisticated espionage.
The effect of these cyber-attacks on law firms is wide-ranging: disruption to the firm, the potential for large financial losses (the average cost of a cyber breach was $349,000 in 2017, according to NetDiligence, whose data is based on actual cyber insurance claims) and the reputational damage that a cyber-attack is likely to cause the firm. In addition, many cyber-attacks lead to a breach of personal data which in itself has major regulatory ramifications, both under the current Data Protection Act and the forthcoming GDPR.
Protecting confidential client information is also one of the most essential requirements for any legal business to ensure compliance with SRA Principle 10 and outcome 4.1. As such, it is critical that cyber security is not just treated as an IT issue, and that there is ongoing Senior Partner involvement with establishing and maintaining an effective information risk management regime, which incorporates appropriate policies to match the firm’s risk appetite.
Many firms are turning to cyber insurance as a way of mitigating the risks around cyber-crime, but the reality is that a cyber insurer will assess your business processes around cyber security in order to understand their own level of risk and make decisions over the acceptance and pricing of your policy accordingly. So whilst taking insurance may be a prudent step, it does not mitigate the requirement to implement suitable processes, controls and technologies around cyber security management.
This is where a highly methodical and closely monitored approach to IT management becomes critical as it is easy to lose sight of the relentless attention to detail that is needed to manage a law firm’s risk around cyber security. There is so much more to cyber security management than technology. Yes a suite of technological solutions will be part of the solution (and these days that needs to be a lot more than some antivirus software and a firewall), but just as important are your firm’s processes and procedures surrounding cyber security. For example: How promptly do security updates get applied to your servers and PCs? How are they tested to ensure they won’t cause a problem with your systems? How can you tell if one PC or server is missing critical security updates?
Then, as I highlighted in my recent article, “Preparing for GDPR: Protecting your Law Firm’s Data from Insider Threats” there is the need to consider what policies you have around remote working and how you prevent data leakage from stolen mobile devices or copies of files made to portable media like USB sticks.
With ransomware now extremely prevalent, effective procedures around data backup are also paramount, more about which can be found in my blog “Preparing your Law Firm for GDPR: Data Backup”.
There’s no doubt that managing the risk around cyber-crime is not easy, and needs dedicated resources and strict procedures which are rigorously adhered to. I think that is probably why so many firms are now moving towards partnering with a specialist IT company to provide this function, someone who can monitor their system from a security perspective at all times and is not distracted by the day-to-day operations of the firm. This is certainly the trend we’re seeing here at Stonegate IT, where we are working with law firms to provide fully managed services which deploy all security updates to their network in a structured and timely manner and flag an alert should any monitored device not be up to date, so that prompt analysis and remedial action can be taken.
We are also engaged in delivering highly secure and effective data backup systems, which ensure that all data is backed up centrally, to a secure onsite vault that is not web facing and is therefore kept securely within the 4 walls of the practice.
If this article has raised questions or concerns over your firm’s cyber security strategy and you would like more information on ways that Stonegate IT can help to mitigate the risks, please do not hesitate to contact me on 020 3761 3520 or email firstname.lastname@example.org when I will be happy to chat through the issues and discuss ways we can help.
For more information about our services for law firms please feel free to visit our website.
To view other articles in our library of informational resources for law firms, please visit my blog.
Established in 2005, Stonegate IT provides IT consultancy, IT services and IT support to small and medium size law firms, solicitors and legal services companies in Kent, East Sussex, London and the surrounding area.
As specialists in working in highly demanding environments, where the highest levels of confidentiality and risk management are paramount, we fully understand the challenges law firms and solicitors’ practices face in building and maintaining systems that can maximise the business advantages technology can offer them, whilst minimising their risks around issues such as cyber-crime, breaches of confidentiality, data protection and GDPR and ensuring compliance with the SRA and Law Society regulations. For more information about our services for law firms please visit our website https://www.stonegate-it.co.uk/services/it-support-law-firms/