The legal industry, like many others, is currently undergoing a digital transformation, as both law firms and barristers’ chambers alike are embracing technology and placing digital technologies at the heart of all their company operations in order to achieve greater business efficiency. Whilst digital transformation brings about great benefits, such as an enhanced customer experience, it also opens up a business to the threat of cyber-attacks. The legal industry is no stranger to cyberthreats – the number of reported cybersecurity incidents this sector has been facing has grown substantially over the last few years causing mass distress for both legal practitioners and clients alike. In fact, according to the SRA, in the first half of 2018 there was a 10% increase in the number of cybercrimes reported by law firms compared to the same period in 2017. However, despite these threats, industry research has indicated that only 35% of law firms have a response plan in place.
The damage that cyberattacks can cause legal organisations is far reaching. Not only do many of the attacks result in hefty financial losses – the SRA reports that over £20 million in client money was stolen due to cybercrime in 2016-18 – but the reputational impact of a cyberattack or data breach on the legal industry can also be significant. Remediation and repairing reputational damage by regaining public trust following security incidents is hard to achieve and difficult to measure, especially for smaller firms or self-employed barristers. Legal firm Mossack Fonseca famously lost the largest amount of data ever recorded in 2016 when 11.5 million files that created the ‘Panama Papers’ were stolen by hackers and leaked. The firm’s reputation never truly recovered and it’s not hard to see why. Attracting new clients would be difficult for any barrister or law firm that had suffered a data breach due to the perception that they are unable to sufficiently safeguard client data. In turn, this will then impact on the bottom line due to lost business opportunities.
So, why is the legal industry so heavily targeted? Barristers and other legal professionals have access to large amounts of sensitive data as part of their work as international specialist advisors on complex disputes, both in court and arbitration. Around 80% of barristers are self-employed and the majority belong to barristers’ chambers and, as such, this network is a goldmine for data. This data can then be used to make a blackhat hacker a nice financial profit. For example, a New York- based law firm was hacked by three foreign nationals in order to steal insider information regarding pending merger and acquisition deals in 2016. This led to over $4 million in unlawful financial gains.
Consequentially, barristers must be especially wary of cyberthreats and malicious online actors and all chambers must make sure that they have a secure cybersecurity strategy in place in order to mitigate against risks. A breach or an attack could put firms at risk of being fined, especially in the age of strict data regulations such as the GDPR and the NIS Directive. These aren’t just empty threats – in February this year, Google was fined a record £44 million under the GDPR, for the misuse of consumer data. Many legal practitioners simply cannot afford to be fined up to €20 million or 4% of their total global turnover. Therefore, it is critical that they take proactive steps to protect their businesses against cyber threats.
As technology is increasingly dominant in how legal professionals conduct their daily tasks, precautions must be taken to ensure that these forms of technology are protected. While it may seem like a complex and intimidating task to implement a cybersecurity strategy due to the complex range of solutions available, the answer lies in making sure that the basics are covered. All barristers’ chambers must ensure that, as a business wide strategy, they have implemented basic cybersecurity practices such as patching, network configuration and strong password management. Other basic practices such as regularly updating passwords and not sharing any login credentials with other members of staff is crucial, especially as threats can also come from inside the business.
Tools such as patch and vulnerability management, application whitelisting, privilege management, identity management, file and media protection, and ransomware remediation will help defend against attacks. All these processes can be easily managed through one third party provider to allow barristers to focus their efforts on their cases rather than continuously worrying about IT and security priorities.
Training all employees to spot, and report on, suspected malicious activities will also add another layer of defence. This is particularly important as a poll of law firms showed that around 80% have reported phishing attempts. The amount stolen from law firms through phishing in Q1 2017 was 300% higher than the previous year. Ultimately, recent phishing attacks experienced by multiple organisations in the legal vertical highlights the continued need for people to be very wary of what they are clicking on. End-user education forms a very important part of protecting against these kinds of attack, but there are also technical steps that can be taken. For example, protecting privileged accounts must sit at the heart of the IT team’s strategy in order to prevent their misuse, be that accidental or malicious. A fine balance has to be struck between withholding admin rights that could land in the wrong hands and making sure employees and end users have the freedom required to complete their work. This means taking an individual approach to each employee and granting them the privileges they need but blocking anything that could compromise the network and lead to downtime or breach. Supporting this with a layered approach to cybersecurity reduces attack surfaces, detects attacks that do get through, and helps cybersecurity professionals to take rapid action to contain malicious activity and software vulnerabilities.
Any barristers’ chambers should also be using technologies and processes to reduce its attack surface, detect attacks that do get through, and take rapid action to contain malicious activity and vulnerabilities. These measures are all part of a back to basics, layered approach to security which every organisation, no matter what industry, should have in place. As holders of sensitive information, barristers’ chambers must ensure that they remain vigilant. They need to know what sort of information is stored on their system and what is passing through their networks. The complete visibility of the entire business network is necessary to ensure that all threats are identified and dealt with in a timely fashion as well understanding how sensitive data is stored and handled by everyone on the same network.
It is critical that all organisations in the legal industry are ensuring that cybersecurity is a top priority. As this industry continues to move into a digital age, the risk of cyberattacks is only going to grow. As such it is imperative that all organisations are implementing a back to basics, defence-in-depth approach to cybersecurity or risk opening themselves up to both financial and reputational damages.
By Andy Baldin, VP – EMEA at Ivanti
Andy Baldin Bio:
Andrzej Baldin is currently the Vice President – EMEA at Ivanti, a position he has held since 2017.
Ivanti: The Power of Unified IT.
Ivanti unifies IT and Security Operations to better manage and secure the digital workplace.