Cyber attacks can cost a business dearly, with victims facing reputational damage, lost clients and devastating financial consequences.
Given the access law firms have to often sensitive information, they are particularly vulnerable. Awareness among the larger firms is rising. Recent research conducted by The Lawyer and insurance broker Willis, ‘Risk barometer: a study on how attitudes and approaches to risk management differ between UK law firms’, found that 19% of law firms with more than 100 partners identified cyber attacks as their greatest risk. However, this is not the case for firms with less than 100 partners: not one of those surveyed cited cyber crime as their biggest fear.
Prompted by the report, The Lawyer and Willis brought together a group of law firm risk managers at a roundtable discussion, to discuss how the dangers are present for law firms of all sizes. High street residential conveyancers have become the target of phishing scams on Fridays when hackers know the firms’ bank accounts are full of client’s pre-exchange money. International firms, meanwhile, receive a constant barrage of email scams, which employees still click on, even after training and countless reminders.
And that’s the trouble. Britain’s intelligence agency GCHQ has warned that employees are the weakest link in the security chain. It is often not the malicious former employee – a government survey found that 31% of the worst security breaches in 2014 were caused by inadvertent human error.
State-of-the-art firewalls may, in some respects, have contributed to the problem with employees believing that technology is doing all the work for them. They are protected. But the hackers are always one step ahead. They are in the minds of their intended victim. ‘Social engineering’, as it has been termed, means that they have studied the victim’s personal information online, they know what is likely to make them click on that damaging link in an email. The hacker creates a convincing email address, such as impersonating someone from within the firm, they know the language to use, and the hot topic that will get their prey to open an attachment.
Asking users to create complex passwords and regular password changes may also be compounding the security problem. People are busy, such tasks only add an extra burden to their day and they quickly turn to a password they easily remember such as one they use already for their social media accounts. Restricting access to file-sharing sites and asking users not to send documents between work and unsecure home email addresses may add security – but, again, can be onerous for employees.
Those managing law firms have a tough task ahead. Security must be implemented (and corporate clients are increasingly strict in auditing their law firms accordingly) but without alienating users, and providing them with the necessary tools to do their jobs as efficiently as possible.
Making training more interactive with a fake scenario that shows just how bad the consequences could be can hit home harder than bland presentations, and seeking feedback from users on how to make the security process work in practice can help create ownership of the issue so that it is not just seen as the IT department’s problem. Communication also needs to be ongoing given the shape-shifting nature of the cyber-criminal.
Buy-in at all levels is essential, from the top-down, and that may include convincing a senior partner that they too need to stick to the rules.
It is an issue that all professionals need to be aware of, given their own reputation could be at stake should their actions contribute to a high profile security breach.