Keeping your business secure: cybersecurity in changing times
Recent ransomware attacks on chambers, and phishing activity directed at solicitors have freshly exposed poor cyber-practice at a time when hybrid working patterns are the new norm in the sector.
Targeted cyber crime
If solicitors have adapted to changing working conditions over the past 18 months, so have cyber criminals.
These cyber criminals have seized opportunities presented by remote working to target the money and confidential data lawyers hold.
The figures are sobering.
The National Cyber Security Centre’s (NCSC’s) Cyber Security Breaches Survey 2021 reports that 40% of businesses suffered a cybersecurity breach in the last 12 months.
Mix in the attractiveness of lawyers’ data to criminals, and the fact that the report also states that nearly half of businesses have staff using personal devices for work, and you have a disturbing picture.
Financial and reputational impacts
The financial and reputational impacts of data breaches for solicitors and law firms are significant.
These include both direct and indirect costs, and in extreme cases, can lead to the closure of a business.
New technological applications in legal delivery, and the changing nature of work, mean that there are new risks of non-compliance associated with your legal business.
To meet members’ needs for timely advice, we’ve been updating our cybersecurity guidance for members throughout the pandemic.
We produced an updated practice note on using lawtech in your practice, recommending:
- annual penetration testing by a qualified technician of any lawtech system
- the importance of maintaining written outcomes of testing and records of failures to be addressed
- the crucial role that preparedness exercises have to play in keeping your business secure
The practice note includes a checklist of legal technology procurement questions you should ask suppliers regarding security, privacy and data compliance.
Obtaining expert legal advice
Practices should make sure they get expert legal advice from properly accredited and experienced cybersecurity professionals about the integrity of their online systems.
One way of ensuring this is by acquiring a recognised security certification.
Cyber Essentials Plus, part of the government’s approved scheme for cybersecurity, includes an independent audit of organisations’ IT systems, providing the assurance you and your clients need about their integrity.
If the large amount of sensitive personal and financial data you're holding does result in your business being targeted, you’ll want to refer to our practice note on protecting your firm if you fall victim to a scam.
This will guide you through:
- the steps you need to take in the event of a breach in terms of your SRA and other regulatory obligations
- who you need to inform
- insurance matters
- informing clients and staff
- business continuity management in the event clients’ funds are compromised
Inefficiencies in cybersecurity practice
As well as ensuring firms have their own cyber houses in order, recent events have highlighted inefficiencies and poor practice in data supply chains.
UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018, and SRA obligations are all relevant when you share personal and other types of confidential data with suppliers and barristers.
We’ve agreed to form a joint advisory group, together with the Bar Council, to address gaps in good cybersecurity practice highlighted by recent ransomware attacks.
Working together on behalf of our members, we're looking to address the inefficiencies arising from multiple due diligence processes.
An example of this is law firms sending individualised questionnaires to barristers, creating significant bureaucracy without significant effect.
Good cybersecurity is a cultural issue for your legal business, not a box-ticking exercise.
It’s about valuing your staff with the training they need to understand the risks associated with the products and processes your firm employ.
It’s about regular testing and recording the resilience of your IT systems.
And it’s about ensuring that hybrid working doesn’t provide criminals with what they need to undermine the viability of your business, and the trust your clients put in you when they share their data.
What should you do?
I highly recommend the NCSC’s Exercise in a Box as an accessible tool for evaluating how resilient your business is to cyber intrusion.
For larger firms, it can be adapted on a departmental or business unit basis, and it’s a good way of engaging with staff working remotely.
I’d also encourage you to sign up for the NCSC’s Early Warning service. Early Warning is a free NCSC service designed to inform businesses of potential cyber attacks, as soon as possible.
The service uses a variety of information feeds from the NCSC as well as trusted public, commercial and closed sources, which include several privileged feeds not available elsewhere.
Finally, take a look at our recent webinar discussing cybersecurity and hybrid working with Karen J from the NCSC, and Kerry Beynon from our Technology and Law Committee.