Most legal practices have yet to get to grips with the idea of “cyber resilience” but it is a strength that they urgently need to acquire now. Only then can a legal practice develop and deliver new IT-supported service propositions that can add significant value to services for clients, introducers and business partners.
The need for cyber resilience
The increasingly high profile threat of security breaches, such as the attack on Mossack Fonseca and extensive breaches reported more widely in the legal sector, are holding many back from introducing innovative working practices that can improve their performance and future prospects.
It shouldn’t be that way. Law firms need to become confident that they are as safe and secure as they can be, understanding the risks and knowing the boundaries that can’t be crossed, but at the same time, pushing their deployment of IT up to safe margins within those limits.
Unfortunately, many of the fears about potential breaches of data security and confidentiality are justified.
Just like risk management generally, many of the steps needed to minimise risk have to be applied widely across the practice, requiring personal compliance with rules and collaboration across internal departments. This is not just an issue for the IT team, although they have a significant role to play.
Resilience is not just about preventing cyber crime, but encompasses cyber security on many fronts.
A cyber-resilient law firm should “have the capacity across the business to maintain their core purpose, operations and integrity in the face of cyber attacks and cyber security breaches. A cyber-resilient practice is one that can prevent, detect, contain and recover from a plethora of serious threats against data, applications and IT infrastructure. It successfully aligns continuity management and disaster recovery with security operations in a holistic fashion.”
The threats are real. Just like the risk of a break-in or a fire, there should be an assumption that it is inevitable. Something serious will happen someday – so prepare for it now.
The concern is that lawyers are generally just not doing much of what needs to be done to minimise cyber risks when doing this effectively would enable them to be more innovative in their use of IT within defined boundaries.
Many lawyers are not exploring new tools to improve business operations or support new ways of servicing clients because they fear, but don’t fully understand, what cyber risks they face; and how or to what extent they can be managed.
What are the real cyber risks?
The challenges here are nothing new. Stand up those of us who have sent at least one email to the wrong person? Not too many people left seated I am guessing! How many firms have innocently sent completion money to the wrong firm or client? Too many, but both of these cyber breaches are generally down to human error.
Feedback from research reported in “The Cyber Resilient Organisation in the United Kingdom: Learning to Thrive against Threats”, conducted by Ponemon Institute LLC, in January 2016, reinforces the global picture of the source of risks. Conclusions here apply as much to law firms (with confidential client and transaction data and routine financial transactions at risk) as to other data-sensitive business sectors like banking.
1) Employees and negligence are the leading cause of security incidents but remain the least reported issue. According to research reported in the 2015 Experian Annual Data Breach Industry Forecast, this represented 59 per cent of security incidents in the last year. They conclude that policies and processes to prevent cyber breaches are still not taken seriously enough and that employee training programs to support them have not been high enough on the agenda, suggesting that this will continue to be a source of future breaches.
2) Persistent attacks have the second greatest impact. They are less likely to occur, but frequency is certainly increasing for law firms. Do you have tools to help identify attempts to breach your security?
3) Third-party glitches in software are common but are not perceived as likely to have the highest impact on cyber resiliency. How extensively are your software applications scrutinised for frailties here? To test apps for common vulnerabilities, check out resources like, for example www.owasp.org.
Cyber security in the cloud
One particular area worth exploring in law firms relates to risks around the increasingly routine use of hosted and cloud-based IT applications. We are keen to help law firms adopt the cloud as they can significantly improve and streamline lawyers’ access to and use of information to help manage and process their work. However, they should only be used if security can be assured.
This warning from the head of a major supplier of cloud-based solutions for law firms in the UK reflects the concerns we hear in the sector: that lawyers just haven’t been paying enough attention to the risks:
“For law firms, the challenge is that they are trying to weigh up the costs of implementing solutions against the perceived threat and the value the firm will receive. This is difficult for partners to understand, so decisions don’t get made. However, one breach could bring down the whole firm. One of the big areas of concern in my opinion is the education of staff and their understanding of security not only in terms of IT security, but also for Professional Indemnity Insurance – it is a long road but the journey really does need to start.”
Most firms use some hosted or cloud services, but not many evaluate (and then minimise) the risks involved in using these applications … all of which we are keen to get lawyers using. Examples of hosted and cloud applications now used routinely in legal practices include business Intelligence, conveyancing searches, online case management, online CRM, web content management systems, VoIP for telephone systems, online HR, performance management, DropBox and online document management extending to fully hosted practice management systems.
Convincing recent research reported in “Cloud Security Temperature Check: A question of visibility, governance and management” a Freeform Dynamics Inside Track Research Note, May 2015 confirms key risks as:
- IT teams are not involved early enough to assess security before lawyers start using a cloud service.
- Lack of understanding of cyber security issues at top management level – and by users.
- The IT team often don’t even know what users are using, so there is no overall control.
- Passwords are shared routinely and treated frivolously.
- Policies and procedures are not in place.
- IT teams lack the software to monitor usage anyway.
Making it happen
The first priority is to ensure that the leaders of the business recognise the risks of potential breaches of information security and take those risks seriously. This requires them to set the tone and to take a lead as advocates for discipline in managing information, which they must practice too.
They must deal themselves in; and then introduce the following steps.
1) Plan and prepare for an incident. To contribute to that, evaluate potential for breaches – confidentiality, integrity, or availability (but apply to on-premise too)
2) Make all your people (including senior management) aware of the dangers involved and then commit to addressing the risks. Give them clear pictures of how they can get it wrong and what they can to do get it right.
3) Give one function or department within the firm responsibility for ensuring resilience. Within that, enable efficient and effective back up procedures and business continuity.
4) Train key people to understand, communicate and police the risks
5) Develop collaboration between teams to ensure good practice is applied widely
6) Know what data is in the Cloud, identify the sensitivity (personal data, price sensitive data etc.) and evaluate risks
7) Establish clear policies on mobile device and communications as technologies that enable control over insecure mobile devices (including BYOD) are critical security hazards. Indeed, it has been said that “the risks are … wherever your people are.”
8) Carry out challenging penetration and vulnerability testing.
9) Improve, monitor and enforce routine operations that impact. For example: protect passwords and require effective updates; use https, encrypt data, emails and attachments; and only notify passwords by SMS or letter.
10) Consider formalising systems by implementing ISO27001. A good start would be to buy a copy of the standard itself to see what compliance entails. It would also give good guidance on what steps you should take and whether or not you intend to go for formal certification.