Why Cyber Risk Management Is Not the Same as It Support
Cybercrime is increasingly sophisticated, and methods of attack constantly evolve. Law firms are a prime target. Attacks pose a serious risk to data and system security, business resilience, client relationships and confidentiality, and business reputation. Security should be right at the top of any firm’s risk register. This is why firms must adopt proper cyber risk management systems and not assume that their IT function has it covered.
Ask yourself the following questions about your cybersecurity.
1. Who is currently undertaking and documenting your cybersecurity vulnerability risk
This is now a legal requirement under the Data Protection Act 2018 and it is the essential first step towards security. It should be undertaken periodically by someone with cyber risk management experience. They should know the current methods of entry and forms of attack against law firms like yours, such as email account takeover, ransomware and spyware. It will provide you with an assessment of your vulnerabilities. It must of course include scanning and probing for vulnerabilities in your technology and its current configuration. But that alone is not enough. It must also include assessing the risks associated with people and the way they use the technology; your systems of work; your interaction with clients and suppliers; the platforms you rely upon; and so much more.
2. Who is configuring your security?
Your vulnerability assessment will provide visibility of risk. A cybersecurity professional can now determine how to configure your technology appropriately. This is a specialist job – configuration must provide protection against attacks without interfering with daily functionality. Firewalls, anti-virus, email set up, logins to cloud platforms, personal devices, remote connections, backups, access rights, user privileges, logs, detection alerts, are just some of a long list of areas requiring attention. Equally important, is advice on the other organisational controls and governance necessary to protect you against the risks identified.
3. Are you meeting legal, professional and regulatory requirements?
Does your security adviser really know how to comply with your legal obligation to take appropriate technical and organisational measures for the security of personal data, and to review their effectiveness on an ongoing basis? And do they know your regulatory obligations under the Code of Conduct and Account Rules, to protect client funds and confidentiality, to run the practice in accordance with proper governance and risk management principles and report incidents? And are they satisfying your record-keeping obligations?
4. Who is providing cybersecurity awareness training to staff?
This is about making all staff aware of the type of dangers that exist, including the tricks being used to gain access to credentials, your systems, data and finances. Some estimates reckon that over 60% of breaches are caused by staff error. So regular training is a crucial aspect of a firms’ defences. It is also now a legal obligation. And you should test that the training is working, by simulating attacks. We have frequently found that before training, over 25% of staff will click on phishing emails, but that figure reduces to under 5% after training.
5. Have you got the right policies and procedures in place?
Your systems are most secure when people know how to use them safely. Defining and communicating policies and procedures will help prevent or mitigate security incidents. As well as being another legal obligation, policies protect your business, your staff and your clients. And have your staff agree and sign for a cybersecurity staff handbook as part of their training, so that everyone knows the rules and what is expected of them.
6. Are you buying security software that you do not need and which is not actually solving your
Buying additional software will rarely solve your security problems. It just creates a false sense of
Worse still, we find many law firms have been persuaded to purchase a patchwork of expensive
security software and ad hoc deployments with overlapping functionality. In most cases, their
existing technology had perfectly good protection built in, if only it were correctly configured (and in
some cases, simply switched on).
7. Are you getting the right help in replying to client questionnaires and assessing your own supply chain?
Firms are increasingly being asked to satisfy clients and insurers about their security arrangements.
Your security professional should be able to take care of this. They should also be advising you on
the type of questions you should be asking of those with whom you share your clients’ data with
(such as barristers’ chambers).
8. Who is providing you and your partners with ongoing assurance that your security controls
remain both appropriate and effective?
It is a basic principle of risk management that assurance be provided by someone independent. It is
neither sensible nor fair to expect your IT people to be cybersecurity experts or to mark their own
homework. Nor will their professional indemnity insurers when a breach occurs.
Just like a vulnerability assessment, assurance is not a one-off spot check. Over time, your
technology will change, as will the threats, forms of attack and methods of extortion. So testing and
auditing your security configuration and controls should be undertaken on a regular basis to ensure
your defences are kept up to standard and you continue to be protected. Again, checking the
effectiveness of your security measures on an ongoing basis and recording this in writing, is now a
The SRA has previously warned against reliance on third party IT to provide security. So if you still
think your IT support are the right people to be looking after your cyber risk management, you are
now lagging behind the field and are likely to suffer a breach.
Managing cyber risk is an important board-level responsibility. It is time to stop hoping you are
secure and start proving you are secure.
Author: Lindsay Hill, CEO at Mitigo