IT Support Isn’t Enough – Why Law Firms Need Cyber Risk Management

Today's cybercrime landscape is more severe than ever before. High-profile data breaches, ransomware attacks, and other advanced cyber attacks have become a common feature of the modern world. And law firms are an attractive target to cybercriminals - they hold sensitive client information and handle significant funds.

Share this post

Successful cyberattacks harm business resilience, client relationships and confidentiality and put data and systems at risk. As a result, notable financial and reputational losses often follow an attack.

With this in mind, security should be a top priority for any law firm today. And a critical element of robust cybersecurity is adopting comprehensive cyber risk management systems and not assuming the IT team has it covered.

To understand how your cybersecurity stacks up, ask yourself these questions and whether your IT support really has this all covered.

1. Who is currently responsible for conducting and documenting your cybersecurity vulnerability risk assessment?

Assessing and reviewing cybersecurity risks is now a legal requirement under the Data Protection Act 2018 and is a vital first step towards safeguarding your critical systems. Vulnerability risk assessments should be carried out periodically and by someone with experience. Crucially, this individual needs to understand current attack methods and routes of entry into systems for firms like yours. For example, email account takeover attacks, ransomware attacks, spyware, and other malware are common attack vectors.

Technology can help with scanning and probing for vulnerabilities, but this alone isn’t enough. The most effective vulnerability risk assessments also consider the platforms you rely on (your attack surface), how you interact with clients and suppliers, how your employees use your technology, and much more.

2. Who is configuring your security?

While vulnerability assessments provide risk visibility, it’s what you do with this information that’s important. A cybersecurity professional can determine how to configure your IT landscape to protect you from falling victim to a cyber attack. This is a specialist job – configuration must defend against attacks while causing minimal disruption to daily tasks. Firewalls, anti-virus software, email configurations, logins to cloud platforms, remote connections, personal devices, backups, network access rights, user privileges, logs, and detection alerts, are just some of the elements requiring attention. Equally important is advice surrounding organisational controls and governance that help mitigate against your identified risks.

3. Do you satisfy legal, professional and regulatory requirements?

You are legally obligated to take appropriate technical and organisational measures to secure personal data. But does your technology adviser thoroughly understand how to meet this requirement? Do they know how to review their ongoing effectiveness? And do they know your regulatory obligations under the Code of Conduct and Account Rules? This ruling stipulates that you must appropriately protect client funds and confidentiality, run the practice according to proper governance and risk management principles, and report incidents. Finally, and critically, is your technology adviser fulfilling your record-keeping obligations?

Failure to meet regulatory requirements can lead to reputational harm and costly fines.

4. Who is providing cybersecurity awareness training?

Employees, even well-intentioned ones, pose a significant risk to cybersecurity. Attackers often target staff with phishing emails and other social engineering tactics, as this is one of the easiest and most successful ways of infiltrating networks. And some studies estimate that human error is responsible for more than 60% of data breaches. With this in mind, educating staff on how to identify the anatomy of a threat is paramount.

Frequent cybersecurity awareness training is a crucial aspect of a firm’s defences and is now a legal obligation. You should test how well your training is working by simulating attacks. For example, we have found that before training, more than 25% of staff will click on phishing emails, compared with under 5% after training.

5. Have you got the right policies and procedures in place?

Your systems are most secure when your staff know how to use them safely. Detailing and communicating cybersecurity policies and procedures helps prevent cyber incidents. Moreover, as well as being a legal obligation, policies protect your business, staff and clients. Having your employees agree and sign a cybersecurity handbook as part of their training is good practice. It ensures that everyone is familiar with the rules and knows what’s expected of them.

6. Are you buying redundant or ineffective security software?

Buying cybersecurity software makes us feel like we’re taking action and, therefore, keeping our systems safe. However, additional software rarely solves security problems. Instead, it creates a false sense of security.

Worst of all, we find that many law firms have been enticed into buying a patchwork of expensive cybersecurity software and ad hoc solutions with overlapping functionality. By and large, their existing technology already had robust protection built-in but simply wasn’t configured correctly (and in some cases, just not switched on).

7. Are you getting the proper support in responding to client questionnaires and assessing your supply chain?

Today, law firms are frequently asked to share details about their security posture with clients and insurers. Your cybersecurity lead should be able to handle this. Moreover, they should advise you on the questions you should ask external parties you share client data with (like barristers’ chambers).

8. Who is providing ongoing assurance that your security controls remain appropriate and effective?

A fundamental principle of risk management is that an independent party should provide assurance. While internal technology teams may be entirely competent, they can often be too close to the problem to see it as it really is. Additionally, you can’t ensure they don’t face internal pressures (often unintentional) to rate the security posture more positively. As a result, asking them to mark their own homework is not practical nor fair.

Just like a vulnerability assessment, assurance is not a one-time box-ticking exercise. It needs to be done regularly because your technology, ways of working, and the cyber threat landscape will evolve over time. Another reminder – checking the efficacy of your security measures on an ongoing basis and documenting this in writing is now a legal obligation.

The SRA has warned against relying on third-party IT support services to provide adequate cybersecurity protection and resilience. Cybersecurity is highly specialised, and not all IT providers have the expertise and experience to offer robust protection and advice. So, if you’re still relying on IT support to safeguard your systems and manage your cyber risk management, you’re leaving yourself vulnerable to attack.

Managing cyber risk is an essential board-level responsibility, not a nice-to-have exercise. Now is the time to take control of your security.

CYBER SECURITY UPDATES

Sign up for the latest advice and information about keeping your business cyber secure.

Share this post