Thanks to the nature of the privileged information they hold, legal practices and institutions have become a key target for threat actors looking to steel valuable information. The sector also has a number of challenges ranging from typical partnership ownership models - which don’t incentivise investment in non-revenue generating functions - through to an industry that has historically been implicitly trusted and thus not had to contend with anything of the scale of cyber security that could undermine this trust.
Why are legal firms such a prime target?
cSome of the key findings from my work with the legal sector has revealed that:
- 70% of the firms do not place cyber resilience within their top 5 risks
- 85% of firms do not have a documented strategy to improve cyber resilience
- 75 % of firms do not have a formal security training and awareness campaign
- 70% of law firms do not have a named person response for information security and cyber resilience
- 60% of firms do not use two factor authentication for remote access
A large law firm is a ‘data treasure-chest’ for various threat actors. Examples of sensitive information being managed by law firms may include:
- Information on trade activities such as M&As and large commercial deals
- Human rights cases/litigation information
- Criminal case information
- Case and/or litigation strategies
- Intellectual property/patent Information
- Sensitive witness information and evidence
- Personally Identifiable Information (PII) for various groups
- Escrow bank accounts and similar high value and volume transfer accounts
- Market sensitive financial information
- Sensitive data and intellectual property obtained through discovery
Are law firms asking the right questions?
Law firms should be asking themselves crucial questions:
- Do our senior partners take cyber security seriously and do they understand the key threats to our firm?
- Do we have a clear cyber security strategy, sponsored at senior level which details how we will protect sensitive information that belongs to us and our clients?
- Have we identified our critical information assets and established how effectively they are protected?
- Do we understand how information is sent, stored and processed by our staff and our supply chain?
- How are we raising awareness and understanding of an employee’s role in helping with the firm’s cyber security information protection mission?
- Are we keeping our IT systems patched on a regular basis?
- How effective are our employee, contractor and supplier vetting processes?
- Do we have a robust process for managing privileged access on an ‘as needed’ basis?
- How are we controlling our mobile device usage?
- How effective are our business continuity and disaster recovery processes?
- If we experienced a cyber attack or major data breach, how soon would we know and would we have the ability to respond and recover in an effective manner?
Traditional compliance-focused security models are no longer effective to deal with todays cyber threats. It is unrealistic to expect that technical defenses alone will prevent all cyber incidents and as the complexity of attacks continues to increase, law firms will need to adapt to this new world.
