Cyber-attacks are becoming ever more frequent and ever more costly, with estimated annual losses from cyber-crime now topping $400bn (£291bn), according to the Center for Strategic and International Studies.
And the effect of cyber-attacks on law firms is wide-ranging: disruption to the firm, the potential for large financial losses (the average cost of a cyber breach was $349,000 in 2017, according to NetDiligence, whose data is based on actual cyber insurance claims) and the reputational damage that a cyber-attack is likely to cause the firm. In addition, many cyber-attacks lead to a breach of personal data which in itself has major regulatory ramifications, both under the current Data Protection Act and the forthcoming GDPR.
On top of this law firms have the added complication of the impact an attack has on their SRA regulatory obligations.
It follows then that risk management around cyber-crime is now a major issue for all businesses. Law firms are particularly at risk given they are dealing with so much confidential material, ranging from personal data, to trade secrets, to large financial transactions, through to the personal affairs of high profile clients. As such, it is critical that cyber security is not just treated as an IT issue, and that there is ongoing Senior Partner involvement with establishing and maintaining an effective information risk management regime, which incorporates appropriate policies to match the firm's risk appetite.
Many firms are turning to cyber insurance as a way of mitigating the risks around cyber-crime, but the reality is that a cyber insurer will assess your business processes around cyber security in order to understand their own level of risk and make decisions over the acceptance and pricing of your policy accordingly. So whilst taking insurance may be a prudent step, it does not mitigate the requirement to implement suitable processes, controls and technologies around cyber security management.
This is where a highly structured and methodical approach to IT management becomes critical as it is easy to lose sight of the relentless attention to detail that is needed to manage a law firm’s risk around cyber security. There is so much more to cyber security management than technology. Yes a suite of technological solutions will be part of the solution (and these days that needs to be a lot more than some antivirus software and a firewall), but just as important are your firm’s processes and procedures surrounding cyber security. Some practical steps that I would recommend every law firm implements to lessen their risk of falling victim to cyber-crime are as follows:-
- Implement an effective security patch management policy
Software vendors are releasing a regular stream of patches to mitigate newly discovered security flaws. As I discussed in my recent blog “Key Considerations for an Effective Security Patching Regime”, having a methodology to ensure every device on the network receive patches in a timely fashion is vital.
- Get an INDEPENDENT vulnerability scan carried out to benchmark your cyber security defences
Because it’s very easy to be too close to a system and potentially overlook a security loophole, we frequently get called on to conduct independent security vulnerability scans, or fuller complete security audits for law firms. An independent security review by a third party who has no vested interest in the system is more likely to give objective, impartial feedback.
- Implement a multi-layered data backup strategy
With ransomware now extremely prevalent, effective procedures around data backup are paramount. More information can be found here.
- Review and test your disaster recovery procedures
I see so many disaster recovery plans that, for a plethora of reasons, don’t work when used in anger. Testing is essential to prove all your data is being backed up successfully and that your entire system can be restored in a timescale that is acceptable to the business. I wrote a blog on this subject recently, which you can find here.
- Consider Cyber Essentials Certification The Cyber Essentials scheme is a government-backed, industry supported scheme to help organisations protect themselves against common cyber-attacks. Whilst by no means protecting against every possible threat, the cyber essentials scheme does provide a framework for good practice around cyber security. More information can be found here.
If this article has raised questions or concerns over your firm’s cyber security strategy or you would like more information on Connexion’s services which include security vulnerability scans, patch management solutions, cyber essentials certification, backup solutions and disaster recovery solutions, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help.
_________________________________________________________________________________
Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/
