Why Cyber Security is more important to law firms than ever right now
Article by Access Legal –
Cybercriminals mean business and it seems increasingly that their most attractive prime target is the law firm. For this reason, as a priority, Access Legal regularly runs cyber security events and panel discussions with law firms on the topic of Cyber Security.
Here are some law firm cybercrime statistics from the Solicitors Regulation Authority (SRA), from their recent visits to 40 practices where they carried out thematic reviews covering cyber security:
- 75% of law firms visited reported having been the victims of a cyber attack
- For 23 of those that were directly targeted, over £4m of client money was stolen
- Half of the firms were found to have allowed unrestricted use of external data storage media
- 25% of firms are not encrypting their laptops.
It is becoming increasingly challenging to protect your business from cyber-attacks. Today’s cybercriminals are progressing rapidly in terms of sophistication. A 2016 BT-KPMG report talked about the ‘industrialisation of cybercrime’ having seen clear evidence that today’s cybercriminal works for complex operations akin to businesses, with human resources departments and budgets for research and development. And things have moved on even further since then. They mean business.
The pandemic has only heightened the cyber threat to law firms
The pandemic has only worsened things. With the overnight homeworking revolution last year and all the added cyber challenges that came with it, including a deluge of Covid-related scams, law firms with the nature of the data they hold, need to be more on-the-ball than ever.
The reputation of the firm is at stake
It goes without saying that the professional reputation of any law firm plays a critical role in their continued success, attracting clients and long-term relationships, which of course are the lifeblood of legal practice. American business magnate, investor, and philanthropist, Warren Buffets is famous for saying, “It takes 20 years to build a reputation and 5 minutes to ruin it.” Never has this statement been more pertinent, in the face of the daily cyber threats faced by all businesses, especially the legal profession.
What law firms can expect from this blog
For the unprepared, there is no doubt the threat of cybercrime to law firms is a minefield. As a group of legal IT professionals, many of us whom have been working with leading law firms for 30+ years, we have grown alongside our law firm peers, learning and tackling together the legal profession’s mounting cyber security challenges as they have increasingly grown in seriousness year-on-year. We thought it would be useful, to map out what we believe are the main cyber security considerations for the next 12 months.
As we approach 2022, we believe law firms must not only be sure that they themselves are doing all they can to protect their clients’ assets, data, and the firm’s reputation – but also that their trusted technology partners and software suppliers are on-the-ball with cyber security too. We also believe it is important that firms consider the bigger picture in terms of what the threat of cybercrime can do to law firm culture, and also take heed from the experiences of others across the legal landscape, especially learning lessons from those firms that have suffered the consequences of not acting soon enough to bolster their cyber security.
6 key lessons we can learn from the cyber security mistakes of other law firms
The mishaps of some law firms in terms of their cyber security shortcomings have been well documented. Rather than risk the pain of a cyber-attack yourselves, it is sensible to keep an eye on where others are going wrong and heed their lessons learned.
The Solicitors Regulation Authority (SRA) advised law firms that “it may be better to ask when, not if, you will be targeted by online criminals” and they published their latest report on the thematic review of cyber security, after visiting 40 law firms and recording their detailed findings in September 2020. The thematic review aimed to find out the main reason(s) why law firms were failing to address cyber security risks, so they could provide support. From the sample visited, it is clear to see that most were following best practice and keeping their firms secure, however, it is useful and interesting to study the failings of some that were uncovered and to look at how and why the problems occurred.
1. Continually bolster your policies & controls
Every law firm today should have a robust cyber security policy in place. Just under 75% of the 40 firms visited by the SRA for thematic reviews were found to have adequate cyber-related policies in place, leaving just over a quarter needing to put in more effort in terms of improving their cyber security situation. Many of the tips in this blog will help firms consider the basis for putting in a new cyber security plan, as well as for bolstering existing policies and controls. This is an activity that should be front of mind continually. Also robust templates for cyber security policies are available from Access Legal’s Digital Learning & Compliance team.
2. Make sure your cyber security training is up to the mark
With 20% of the firms visited by the SRA, for the recent thematic reviews, having never provided staff with specific cyber training and 50% have provided it but not recording details and evidence of the training, it was reported that there is room for improvement here. Of course, training of this nature is paramount to enable individual solicitors and their firms to be able to sign off their competency statements. The training records are required as proof that the law firm workforce, as a whole, is equipped to act in the best interests of clients and to protect clients’ assets and their money. Access Legal’s digital Learning & Compliance team offers comprehensive cyber security training programmes specifically for law firms.
3. Take data storage & encryption seriously
Half of the 40 firms visited by the SRA were found to have allowed unrestricted use of external data storage media, with 25% of firms not encrypting their laptops. The SRA recommended that it is essential policies and procedures reflect the risks posed by allowing staff to use external storage media in terms of exposing the firm and its clients to viruses but also the risk of compromising client data. Of course, a lack of encryption is particularly risky for the safekeeping of client data for staff working on their devices at home, out of the office or traveling with them on public transport.
4. Log & report any cyber security incidents
During their thematic review visits, the SRA found that seven significant incidents had not been reported to the body which should have been. A further 24 firms had not kept specific logs of cyber incidents. Some firms said they had kept details but were unable to produce them when asked to do so by the SRA, exposing themselves to potential action for misleading their regulator.
5. Set a cyber security budget for the firm
Setting aside a budget for specific cyber security risk areas is a sure sign that a firm is taking cyber security seriously. The SRA Thematic Review found 5 of the firms visited actually had cyber security budgets in place. The SRA questioned whether firms are presently seeing cybercrime as a high enough priority.
6. It really helps to regularly share real life stories with your staff
Sharing real-life examples of what is happening within live law firms is one of the best ways to emphasise the importance of cyber security to your workforce, and the role each person in your team must play to keep the organisation safe from these so-called ‘hactivists’.
The SRA is a good source and watch out for news about law firm mishaps in the Law Society Gazette. The National Cyber Security Centre is another trusted resource, and it has an excellent news page highlighting what is happening in the world of cyber scams. Another trusted resource law firms can tap into of course is Access Legal’s Digital Learning & Compliance team, which offers a number of cyber security-related tools you can rely upon and are continuously adding new resources for law firms to keep up-to-date and relevant. It is worth visiting this page regularly to remain alert of the threats businesses and individuals are facing, and encourage your staff to do the same.
7 tips for law firms to ensure their cyber security for homeworkers is solid
When the Prime Minister spoke to the nation on 23-3-20 instructing us all to work from home where possible, the scale and speed of the change looking back now was quite unbelievable.
Some businesses were more prepared for this than others, but on the whole, law firms seem to have found the transition relatively straight-forward. Those with good practice management software providers have had homeworking options available to them for many years.
While most firms could breathe a sigh of relief that the tech was working from home and that they could continue to deliver services to clients, the serious and urgent need to consider the cyber threats facing them were hard to ignore. Many law firms now have in place the required level of cyber security solicitors need to be able practice from home safely.
With homeworking here to stay, as many law firms plan a hybrid working model for the future of law, closing and downsizing their offices, here is a check-list of the top 7 recommendations for those firms catching up with cyber security for homeworkers:
1. Make sure you have a clear reporting mechanism in place
Ensure you have a clear reporting mechanism in place for your homeworkers that they can use to officially report and log any security concerns or problems so that your IT people are fully aware of any potential threats to the business. People who don’t work in IT may not recognise the significance of a cyber threat, so if you don’t make lines of communication available and easy, they may not alert the right people early enough.
2. Strong passwords with two-factor authentication are a must
If you haven’t done this yet, we highly recommend you do it today! Don’t delay any longer. There is lots of excellent advice on the National Cyber Security Centre website about passwords and 2FA here.
3. Consider all the devices in use at home & ensure they are safe
Across the country home workers are using a combination of their employers’ devices (PCs, laptops etc.) as well as their own personal devices (phones, tablets etc.) sometimes referred to as BYOD (bring-your-own-device).
Either way law firms must make sure their staff understand the risks of using devices away from the office for work purposes.
Make sure they are all running the most recent software for both operating system and applications, including anti-virus software of course. Make sure staff know how to keep devices safe when away from the office, and what to do about reporting lost or stolen devices as soon as possible to the relevant IT staff to ensure your firm remains safe.
For homeworkers it is probably better to supply equipment rather than allow BYOD (bring-your-own-device) so you the firm can monitor “who, what, when, where and how?”.
4. Switch on encryption
Devices are more likely to be lost or stolen when you have staff set up for home working. Most modern devices have encryption built in, but it may need configuring or switching on. Ensure all devices that are being used at home by your workers are set to encrypt data while at rest.
5. Use mobile device management
It’s a good idea to set up all your home working devices with a standard configuration so that your IT people can lock them or delete data from them remotely, using MDM (Mobile Device Management).
6. Have a VPN in place
Having a Virtual Private Network (VPN) in place provides an additional layer of security for home workers accessing your firm’s IT resources – e.g. your practice management system, your email system etc. If you are already using VPN, make sure it is fully patched. You may need extra licences, capacity or bandwidth if you’re supporting more home workers.
Your users should avoid using free WiFi hotspots without using a VPN to ensure your/their device’s traffic is encrypted and harder for a cyber-criminal to intercept. For law firms using a hosted solution for their Practice Management Software, on the cloud their systems should be fully patched and optimised. If you manage your own IT infrastructure inhouse it is worth checking.
7. Empower your staff to spot scams, risks & threats
Human error might be the cause of many of the world’s data breaches today, but it is important to remember that your people are your first line of defence too. Regular training instils the right competencies and behaviours across the workforce and for homeworkers delivering key training material of this nature remotely using eLearning courses is ideal.
Completing modules on a ‘little and often’ basis, enables people to build training into their day and apply the teachings to their work. It also means new starters, currently onboarding at home, are empowered to grow their knowledge and adhere to security policies from the moment they join. From a compliance perspective, a good learning management system (LMS) helps firms to plan, track and evidence training, and signpost people to relevant eLearning courses.
6 questions law firms should ask their prospective suppliers of new software
When bringing on board new practice management software partners, or any new technology partners, there are many cyber security-related questions we’d highly recommend law firms should ask. You cannot delve too deeply into a new suppliers’ cyber security credentials.
As we keep reiterating throughout this blog, these measures probably apply to law firms more than most other business, purely because of the highly sensitive nature of the information they hold on behalf of clients. This, coupled with high levels of cybercrime affecting the profession today, probably makes information security one of the most important aspects of any law firm check-list when signing up with a new IT / software partner.
The top 6 security questions we believe a law firm should ask of any prospective software or IT services provider are:
1. How secure is their datacentre for saas?
For firms going with a cloud solution can your supplier prove they operate their SaaS solution (i.e. for cloud hosting) within an ISO 27001 certified datacentre? ISO 27001 is the international standard that stipulates best practice for an information security management system.
2. How seriously does the prospective supplier take information security?
Can your supplier prove THEY themselves are also ISO 27001 certified? Certification to ISO 27001 demonstrates that an organisation is following robust information security best practices. Some suppliers say they have ISO 27001 certification when in fact it is only specifically their third-party datacentre that has it. For belt and braces information security management your supplier themselves should have it too.
3. Ask for a penetration test report
Can your supplier present a recent penetration test report? Penetration testing (often referred to as pen testing) is the practice of testing a computer system, network or web application in order to find any vulnerabilities that could be exploited by a cybercriminal.
4. Can you see an audit trail?
Do you have access to an audit trail within your practice management software? i.e. are you able to see if users are accessing areas they shouldn’t?
5. Ask about security patching
Can your supplier demonstrate a robust security patching process within their SaaS infrastructure? i.e. for keeping up-to-date with Microsoft database security standards?
6. Ask about cyber essentials accreditation
Can your supplier prove they are Cyber Essentials accredited? Cyber Essentials is a government-backed cyber security certification scheme that sets out a good baseline of cyber security for organisations. The scheme is designed to prevent cyber-attacks.
7 steps to make cyber security a key part of your healthy ‘no-blame’ culture
Whilst human error is the cause of 95% of cyber-attacks / data breaches, we all need to recognise that well-informed, well-trained staff are a law firm’s best line of defence against cybercrime. There are so many horror stories increasingly doing the rounds, that it is understandable that staff are terrified of doing something wrong and causing catastrophic consequences for their employers.
It is paramount that firms not only openly encourage their employees to share their concerns and experiences, but that they also reward the right kind of behaviour to develop an open ‘no-blame’ culture. Nurturing a positive culture is clearly going to be key for the success of cyber security policies, and more importantly a key part of the bigger picture for the success of the profession.
We have captured some key take-aways from our recent webinars and panel sessions with law firms on cyber security and its place within a healthy workplace culture. Our top seven take-aways that we believe you will find most useful on this subject are:
1. Make cyber security a priority
If it is not, I am sure you know it should be. There is always something more pressing and urgent to take up your time. But no law firm can delay this step a moment longer. We urge you to put cyber security at the forefront of developing your law firm’s digital footprint rather than allowing it to be an after-thought. Enough said.
2. Think about learning styles to make your cyber security training stick
You don’t need us to tell you firms must provide quality training for their staff. It’s a no brainer. But many of the law firms we talk to tell us that there is room for improvement in the way they train their people on cyber security, which of course can be a very dry subject and therefore difficult to engage with. Enabling employees to choose their preferred learning style through multiple training techniques including tests, quizzes, eLearning, games, videos, pdfs and audio stories will move your firm beyond annual, tick-box training that has become typical for many organisations. If you adopt short, immersive, and relevant training, little and often that is highly targeted, the impact of your cyber security policies will increase considerably. If you need help in this area Access Legal have a lot to offer.
3. Ramp up your communication to staff & join the dots for them
Again communication is obvious. It has to become routine with staff. Let them know what’s happening regularly in the cyber security world. Don’t take anything for granted. Especially when new cyber risks appear. Use stories and real-life incidents to bring the risks to life at home and work. Keep detailed notes of how you manage any cyber incidents and share as and when relevant. Don’t assume that employees knowing what your security policies are will impact behaviours. Firms must join the dots for their employees, and make it crystal clear what is expected of them. Encourage your people to share their own stories to help build their awareness and confidence in doing the right thing.
4. Sit down today and consider the risks of taking on new staff & your leavers
Be rigorous in on-boarding & off-boarding personnel. There are so many risks with both. Give these areas the attention they deserve.
5. Double check you are making the right back-up choices
Make sure your back-up procedure is fit for purpose – on site/off site, cloud vs server, high security vs fast recovery. A good practice management supplier will provide excellent advice on these matters.
6. Ensure your sign off procedures are hyper-diligent
All the law firm execs we speak to at our cyber security events have put in place senior stakeholder sign off procedures for sending and releasing funds – typically a minimum two pairs of eyes for all amounts over £5k or an agreed nominal amount. We do not anticipate there are many firms today that don’t have hyper-diligent processes in place for this, but if you are not 100% comfortable with yours, the time to revisit them is now.
7. Revisit your position on cyber insurance
Consider what a specialist cyber insurance policy could offer either by speaking to your insurance broker or a specialist in the industry. Seek recommendations and references.
Cyber Security for Law Firms – in summary
The stark reality is that cyber criminals employ a range of ever-evolving tactics to bypass security controls to target employees and are becoming more sophisticated in their approach to breaking down barriers of entry. However, many law firms are surpassing the level of sophistication we are seeing from today’s cyber criminals by implementing solid cyber policies and procedures.
If your firm is interested in a new legal practice management system, from a trusted ISO27001 legal software supplier, or you would like help with your digital learning and compliance for cyber security, please contact Access Legal today on 0845 345 3300 or online.