It’s all about trust...

?

All law firms and practitioners have an overriding obligation to preserve and protect the confidentiality of their clients’ information. This is a requirement under SRA Standards and Regulations, the Bar Standards Handbook, and the Legal Services Act 2007.

Despite this emphasis on data protection, the NCSC has reported that law firms are increasingly targeted by cyber criminals because of the extensive and sensitive legal information they hold; Government bodies, corporations, and high net worth individuals. Ransomware and Phishing in particular, target firms deemed to be soft targets by financially motivated criminals. NCSC Threat Report UK Legal Sector

Disruption to a firm’s operations can be costly, both in terms of billable hours lost to outages and in costs to clients that depend upon them. This makes legal practices particularly attractive to cyber gangs aiming to extort money in return for restoration of IT services or data.

Moreover, reputational damage is potentially even more costly than the direct financial implications. A firm’s relationship with its clients is built upon a foundation of trust. A potential breach of information can damage not just the relationship with the affected clients, but also compromise the firm’s wider reputation; which could be extremely difficult to recover.

There is an understandable perception that cyber security is expensive and onerous to operate; especially for SME law firms. It doesn’t have to be either of these things, but good security does require some thought.

Questions you should be asking:

• What monitoring is in place around those critical assets that would have an impact if compromised, damaged, or altered?
• Is monitoring happening in real time and managed by trained security personnel?
• Do we have procedures in place for staff to report any suspicious activity, and is this routinely reinforced through training refreshers?
• Are we protected by professional security operations centre (SOC) personnel who will know how to manage alert thresholds and recognise genuine alerts when they occur?
• Do we have visibility of all the physical, virtual and software assets on our network and their status; are they maintained with the latest patches and versions.
• Are we able identify and remove shadow IT which may be introduced into the network by our own staff?
• How do we authenticate and grant access to users or systems? Is Multi Factor Authentication in use and is access granted based on least privilege?
• How is storage separated so that an attacker will not get access to all copies of our data?
• Are we able to avoid a long recovery that could damage corporate reputation and brand?
• What data is ‘critical’ and how frequently is this backed up? How frequently is non-critical data backed up?
• How confident are we that we would be able to recover from these backups? How frequently is this checked?
• How are our backups stored? Offline or different locations? What are our recovery time and recovery point objectives?
• Do we have clear escalation routes and defined decision-making processes to deal with a major cyber incident?
• Do we understand our regulatory requirements and obligations to report data loss incidents?
• What are our contingency measures to maintain business operations?
• Are we able to practice our response to cyber incidents, and how do we learn from these exercises?

Cyber security is a strategic risk to any business and especially to law firms whose reputation with clients is paramount. Does your firm’s cyber security provide the protection your clients demand?