Cyber criminals mean business and it seems increasingly that their most attractive prime target is the law firm. For this reason, as a priority, Access Legal regularly runs cyber security events and panel discussions with law firms on the topic of Cyber Security.
Here are some law firm cybercrime statistics from the Solicitors Regulation Authority (SRA), from their recent visits to 40 practices where they carried out thematic reviews covering cyber security:
75% of law firms visited reported having been the victims of a cyber attack
For 23 of those that were directly targeted, over £4m of client money was stolen
Half of the firms were found to have allowed unrestricted use of external data storage media
25% of firms are not encrypting their laptops.
It is becoming increasingly challenging to protect your business from cyber-attacks. Today’s cyber criminals are progressing rapidly in terms of sophistication.
The legal sector handles highly sensitive information and controls huge sums of money on behalf of major businesses and individual clients alike, which unfortunately makes it a very attractive market for cyber criminals.
A lot of this information is highly personal and confidential, which is the type of information that GDPR and other regulations are designed to protect. And that’s exactly why it is so valuable to cyber criminals.
Personally identifiable Information and Confidential Business Details
DDPR and other legislation means that law firms have legal and ethical reasons to manage their client’s information. Legal transactions of all types, from conveyancing to court proceeding, often require volumes of highly sensitive and personally identifiable information to be transmitted, stored and exchanged.
Such information must be protected at every stage and every move, and law firms must consider secure transactions and document management solutions.
Whether by email or cloud services, legal firms often find themselves as the communication hub between multiple clients and service providers… and hold a unique position of trust.
Every document legal employees open could be compromised by malware, so communications must be even more secure that most other industries.
How do law firms typically manage cyber security?
Law firms are generally responding to the growing cyber threat in the same way as other sectors. For all firms, improving use of technology remains a priority, as well as standardising and centralising business processes and ways of working.
But law firms have a unique complexity: they have multiple customised systems, bespoke applications, and several case management systems, often doing a similar job to other systems in the same firm. The threat surface increases, the cost and complexity of basic cyber hygiene such as patching grows, and the number of required security controls escalates.
The result is a complex and costly cyber security posture. Complexity is the enemy of cyber security, and it may be time for a rethink.
Best Practices for Cyber Hygiene
When it comes to securing data, learning from previous mistakes is incredibly important. Past breaches and hacks show that a few simple measures can go a long way toward preventing attacks and securing networks. These lessons include basic cyber-hygiene practices such as:
Using complex passwords and frequently changing them
Enabling two-factor authentication for access
Restricting physical and online access to critical databases and systems to the staff on a “need to know” basis (known as the “principle of least-privilege”)
Applying required security patches promptly
Keeping software updated and current – as hackers develop new ways to penetrate your network, you must be equally diligent in shoring up your defences.
Cyber Essentials and Cyber Essentials Plus
Cyber Essentials is a simple government-backed security scheme to help protect firms from most cyber-attacks. It concentrates on the basic security hygiene that keeps out most attacks from the unskilled hacker (thought to be more than 80% of all cyber-attacks).
Cyber Essentials comes in two flavours: basic and Cyber Essentials Plus. There is no practical difference between the two, other than the former being self-certified and the latter requiring independent verification.
Law firms should seek to be Cyber Essentials Plus certified, even if this needs guidance from an experienced consultant. Everybody puts more effort into meeting a third-party audit over what amounts to a paper-based checklist; and clients are more confident in an external audit.
Contact Blue Car Technologies to learn how we and our specialist partners can help your firm choose the right solution, as well as the implementation and deployment, to ensure that your business is always prepared.