Is Cybersecurity the Achilles Heel for South African Law Firms?

In a country where poverty, corruption and racial injustice are daily challenges, cybersecurity might, on the surface, feel like something of a luxury. A “nice to have” instead of a non-negotiable necessity.

In South Africa, at least, this seems to be very much the case. As a relatively sophisticated market, and one of the biggest economies in Africa, South Africa is the number one target for cyber criminals in Africa, according to Interpol.

Despite the fact that we’ve established a military Cyber Command, and adopted a national cybersecurity strategy, other issues always seem to take priority, so under-funding and a general air of neglect are common.

That’s not to say, of course, that corruption and other issues shouldn’t be high on the government’s agenda. But there also has to be room for those “silent” issues that, if not properly and timeously addressed, will grind our country to a halt just as effectively as unchecked corruption.

Globally, the number of cyber-attacks is growing at a startling rate, and experts estimate they will cost the world over $24 trillion by 2027. But perhaps even more concerning, is the increasingly sophisticated and dangerous nature of many of these attacks.

According to a Data Breach Investigations report by Verizon, between 75% and 91% of targeted cyber-attacks start with an email. Why? Because emails involve humans, and humans are, well, only human, and thus vulnerable to making mistakes. It’s far easier to trick a person than it is to breach a high-tech security system. Very often, all it takes is a single unsuspecting click on a malicious email.

Other common human errors include:

• Weak password hygiene: Unsanctioned password sharing, reused passwords across platforms, and passwords that are easily guessed all increase the risk of unauthorised access.
• Unsecured data transfer: Sending sensitive data via unencrypted channels or using personal email accounts for work purposes pose a major security risk.
• Failure to patch vulnerabilities: Outdated software and operating systems often have known security flaws that can be exploited by attackers.

As a result, despite every good intention, nearly three-quarters of data breaches involve some kind of human interaction.

Law firms are particularly vulnerable to these kinds of cyber-attacks. They are treasure troves of confidential client information, intellectual property and financial data, all of which makes them highly tempting prospects for malicious actors.

In addition, because law firms, by their very nature, operate largely on a foundation of trust, they are far more susceptible than many other businesses to social engineering tactics like phishing emails.

To make things worse, despite the frenetic digital transformation that took place worldwide in the wake of the COVID pandemic, the legal profession was slower than most to adopt the robust cybersecurity measures needed to protect their clients’ sensitive data.

The situation hasn’t significantly improved four years later. So many law firms still have employees working remotely at least some of the time, many using largely unprotected home Wi-Fi networks. No wonder the bad guys are rubbing their hands together in glee.

In a stark and sobering reminder of what can happen when law firms fall short of their legal liabilities, the recent landmark case against top South African firm Edward Nathan Sonnenbergs saw the company held liable for a staggering R5.5 million after a cyber-attack compromised client data.

It was a tough and expensive lesson in the consequential severity of failing to adequately protect sensitive information.

An article on law.com’s website explains that in South Africa, the financial risk of a data breach is two-fold:

• Any legal entity can be fined by the regulator for failing to report a breach.
• Taking the necessary steps to report a breach is a costly process.

Even South Africa’s Protection of Personal Information Act (POPIA), is not a silver bullet. Perhaps a “legal shield” would be a more accurate description.

POPIA dates back to 2013, but only came into force in 2020. Interestingly, the act doesn’t regard a data breach itself as a failure to comply, as long as it is reported.

The Department of Justice and Constitutional Development Affairs (DoJ) found itself at the pointy end of this subtle distinction in July last year when it was fined by the South African information regulator for failing to comply with the act. Not only did it ignore an order to renew antivirus software licences, but it also failed to report the data breach that happened as a result.

(It suffered a ransomware attack in September 2021 in which documents containing personal information were compromised and files lost. This disrupted the functioning of courts and messed with the electronic services offered by the department, as employees could not access the information systems).

So, as replacing their human employees with robots is not an option, what measures can law firms take to shore up their defences and help protect themselves more effectively against cyber-attacks?

These are some of the tools we’d recommend any law firm keeps in their toolbox:

• Employee education and awareness training: Regular training programmes can give your staff the knowledge and skills they need to identify and avoid common cyber threats.
• Strong password policies: Enforce the use of complex passwords and mandate regular password changes.
• Multi-factor authentication: This adds an extra layer of security by requiring a second verification step beyond just a password.
• Data encryption: Encrypt sensitive data both at rest and in transit to ensure it remains inaccessible even in the event of a breach.
• Regular backups: Having secure backups allows for a swift recovery in case of ransomware attacks or system failures.
• Secure remote access solutions: Implement secure remote access protocols and educate employees on safe practices when working remotely.
• Regular penetration testing: Conducting periodic penetration testing helps identify vulnerabilities in your systems before attackers do.
• Incident response plan: Having a well-defined incident response plan means you can roll out a coordinated and efficient response in the event of a cyberattack.

At the end of the day, cybercriminals are constantly refining and strengthening their tactics. Ransomware attacks, supply chain attacks, and attacks targeting cloud computing environments are all growing threats. This means we have no choice but to continually adapt our defences and be increasingly alert and vigilant.

Law firms in particular need to implement more regular monitoring to help them identify any unusual behaviour and call it out before it threatens their clients and their company. Clients must be able to trust that the firm they work with can keep their sensitive information secure.

“A multidisciplinary team needs to be involved with the data protection function, and simulations should be carried out to test the incident response procedures,” says Rosalind Lake, director at Norton Rose Fulbright South Africa.

Forewarned is forearmed, so if I’ve help to forewarn you today, my work (for the moment, at least) is done.