In the past year with the introduction of hybrid working, the task of securing law firm data has become a significantly more complex proposition. According to PwC's Law Firms' Survey 2021 an increase in ransomware and other cyber attacks have been reported across a number of industries in the past 12 months, and along with hybrid working, which if not adopted securely can increase cyber exposure, has resulted in an increase in the priority for law firms' of 'Reducing Cyber Risk' from seventh in 2020 to third this year
As custodians of sensitive information and large amounts of client money, law firms are an attractive target for cybercriminals. Without having the appropriate security measures in place, law firms put their reputations – and their clients’ data and money – at risk.
With the increase in the up-take of cloud services and hybrid working models, taking a proactive stance on cyber security is crucial for mitigating and managing risk.
The time to act is now. UK law firms are operating in an increasingly hostile digital landscape – and security measures that may have been appropriate in the past will prove inadequate going forward.
The consequences arising from compromised email accounts, public leaks of privileged attorney-client data, or the inability to access information due to ransomware are significant. Breach events expose law firms to malpractice and negligence lawsuits and could impact their ability to indemnify the business in the future.
Worse still, any data breach must be reported to the ICO and made public – a revelation that could prove catastrophic to a firm’s reputation. Plus, any violation of GDPR data protection laws can result in a punishing fine.
While professional indemnity insurance may cover losses resulting from a cyberattack, it is unlikely to include regulatory fines due to negligent security processes.
Preparation should always be the first line of defence to reducing your risk from cyber-crime. This means understanding your position - Where are your top risks? What are your priorities? Can you provide proof that your systems have adequate and rigorous security policies in place?
The answer is to work with a framework of best practices that can be applied to your unique operating environment.
The UK’s National Cyber Security Centre’s Cyber Essentials (CE) certification is a good place to start but for most law firms, the certification does not go far enough and is only recognised within the context of UK business. The good news is, there are ranges of information security frameworks available that can be selected, based on the overall size, type, and risk posture a law firm has. The US National Institute of Standards and Technology has developed the comprehensive Cybersecurity Framework (CSF), and at the very top end, the globally recognised, externally certified ISO 27001.
Stridon utilise the gold-standard Center for Internet Security (CIS) Controls framework to evaluate our clients current risk profile, identify what is needed to do to improve the firms security posture right now and develop a roadmap for the future. CIS Controls provides the perfect jump-off point for law firms just starting to formalise their cybersecurity posture; a step up in robustness compared to Cyber Essentials, but achievable for any size of a law firm, that may otherwise struggle with the investment needed in time and funds to achieve ISO 27001 certification.
When it comes to analysing and improving your law firm’s data security, a combination of solutions from leading vendors are used to ensure that every aspect of the firms' operations is protected. There is no ‘one size fits all’ as every law firm must balance resource constraints with enabling risk mitigation that’s tailored to their unique activities and infrastructure environment. So, it’s vital to deploy the right combination of solutions that will both address organisation risk, and ensure compliance with regulatory responsibilities,
Deploying the right combination of solutions that’s appropriate for the operational model and maintains the confidentiality and integrity of sensitive data is just the start. Everything must integrate seamlessly with any existing security measures and deliver a reliable and scalable cyber defence system that can be evolved in line with changing needs.
Having the ability to work securely from everywhere and from any device, accessing all of the corporate applications and services - most delivered via the cloud means that a firm's 'attack surface' has significantly increased. Law firms need to ensure they secure:
To do this requires a multi-layered approach to defence against a cyberattack. The diagram below is an example of how Stridon has built out a solution for a firm that has protection at every layer.
Stridon is a pioneering tech company that's helping law firms enhance and advance their cybersecurity defences in highly creative and innovative ways. If you'd like to talk to us about your challenges, requirements or goals so see if we can help then give us a call on 020 3006 2140 or drop us an email.