With the threat of cyber attacks continuously materialising, cyber is now a top risk to national security in several countries, including the UK.
While high-profile targets like major banks or critical infrastructure such as power stations or transport networks may be seen as facing the most obvious risk, the legal sector should not underestimate the threat it faces.
Law firms often benefit from a long, trusted relationship with their clients. They have privileged access to sensitive, high-value information such as intellectual property, commercial details around mergers and acquisitions and personal information. Law firms may also be considered targets for cyber attacks due to their client base and connection to public interest or high profile cases.
If any of this information were to fall into the wrong hands it could affect client relations and cause irreparable damage to a firm’s reputation. Furthermore, a major cyber security incident could trigger potentially devastating legal proceedings and result in regulatory sanctions.
Law firms are increasingly being targeted because they are often regarded as a weak link in the security chain and an easy route to clients’ data. Attackers are likely to be highly sophisticated and will invest time and resources in getting to the information law firms hold. Companies must adapt their security to respond to this threat.
Companies are now recognising the risk posed by third party security breaches and are starting to take action, for instance by contractually requiring suppliers to maintain a certain level of cyber security. In the US, many banks are now auditing their law firms to assess their level of security, with non-compliance having the potential to result in the loss of business. With increased regulatory scrutiny on both sides of the Atlantic regarding cyber security, we expect this trend to quickly spread to Europe and to all industry sectors.
Legal organisations need to act now to address their cyber security risks. They must ensure their systems are appropriately protected to retain the trust of their clients and the competitive advantage.
Law firms should consider three key points:
-To work towards long term cyber resilience, they need to understand their risk profile and identify what specific threats they face, which assets in the organisation are most at risk and what the potential impact of an attack would be.
-They must then consider implementing flexible and focused security strategies that will continuously improve their security. Activities include training and awareness programs, risk assessments, policy and procedure creation and role-play simulation to increase board-awareness of the cyber issue.
-In the immediate term, firms need to consider what would happen if a successful attack was to happen tomorrow. They must decide how will they react and how will they notify any affected clients and the appropriate regulator. Firms must ensure they are monitoring their systems so that they know as soon as possible if an attack is happening, and have a clear and effective response procedure to quickly stop the attack and limit any damage.
Law firms should not view cyber security as a drain on valuable resources; instead it should be considered a business enabler. By proving they are taking the risk seriously and reassuring clients that their data is safe, they can secure clients’ trust and gain business from competitors who do not offer the same protection.
James Alexander, cyber security partner at Deloitte