Are You the Lone Ranger When It Comes to Cybersecurity?
What I am hoping to achieve by sharing this story with you is to give guidance in achieving the optimum security for your law firm, your law firm brand, your staff, partners and protection of your client data for the lowest possible investment.
Three years ago, a friend of mine got hacked. On their own personal computer, hackers got through to their bank details, applied for a loan online, and got immediate approval (with clearly no one doing the correct security checks). Within fifteen minutes, four large payments were transferred out of their bank. After years of back-and-forth conversations with their bank and financial Ombudsman to complete investigations, the issue was finally resolved, and they received what was rightfully theirs.
During the last couple of years, many fee earners and employees will have used their personal computers for work. Imagine if something similar happened, and they had access to all your law firms files and accounts?
Law firms need to realise that the decisions made now will help prevent this from happening in the future, and my BIGGEST tip is – don’t presume or expect what is already in place is good enough.
1. If you’re assuming the appropriate security is adequate that comes with your devices/bundled packages, then you’re in for a shock! Check, then check again.
2. Equivalent to having their laptop hacked and taking it back to PC World as they sold them the device… the first question you will be asked is what security measures and software did you install and buy.
3. 95% of hackers reside not just out of the UK but out of the jurisdiction of Interpol and Europe, including countries like Algeria, Egypt, Israel, Jordan, Lebanon, Libya, Morocco, Palestine, Syria and Tunisia. This means there is absolutely no ability for police in the UK to recover your monies.
4. Responsibility is 100% with the law firms, not the bank, insurance company, or IT Supplier. Responsibility ultimately resides with the COLP in your law firm.
It’s not like the sheriff will come riding over the hill with the bandits slung over the saddles, with your bags of swag dangling down from the trigger to save the day. It’s gone faster than the trigger can say neigh.
What did the Ombudsman say?
After discussions with the Ombudsman, it became clear that these people are developing very sophisticated ways of getting hold of your firm’s data. If you think your data is safe at home or at work, check, then check again, and keep checking.
Can you imagine the stress and pressure you would feel if you were responsible for a firm’s security and a breach happened? You really don’t want the sheriff coming along to your firm because your security was not quite good enough; thieves managed to get hold of your precious swag and are now blackmailing you with it, only to find out they have already put it all on the dark web.
Are law firms currently being hacked?
Cyber risk is too important to be left to chance. One-in-six firms attacked in the past year said they almost went under, according to the 2021 report conducted by Hiscox Cyber Readiness.
According to Lawyer Checker, there has been a 113% rise in fraud alerts in 2021 v 2020.
The National Cyber Security Centre has recently reported that a report from Trend Micro suggests that 50% of firms don’t have the capability to prevent or detect ransomware attacks. They stated that many have difficulty identifying activities that may suggest that their networks have been compromised.
The report further suggests that 40% of organisations could struggle to implement mitigation methods even after falling victim to an attack. The SRA reported that threats had grown more than expected during lockdown, with a 337% rise in phishing scams in the first two months of the first national lockdown.
Threat to your Law Firm Brand Reputation
As a law firm, you should be reporting to the SRA with every attempted breach, along with actual breaches. When breaches do occur, there is a process of then informing all your law firms’ clients as to exactly what has happened, and no one wants to be in this position.
Measuring Risk: Priority Vs Investment Vs Consequence
What do you consider would be the optimum investment to prevent the risk of a cyberattack that could potentially cause the greatest devastation to partners, your clients, and ultimately your brand?
The key is assessing the risks of the occurrence and simply categorising whether they are a high, medium or low risk for a start.
Firstly, take the high-risk with high consequence as this is the top right quadrant. Next, assess the investment need for each element that can be covered and weigh up the minimum investment that should be deployed depending on your organisation, the data you are protecting, and the cost incurred with the consequence.
From that first step, start working through the quadrants. This starts with working through the highest consequences to the lowest, and investments to cover each. This will build up a priority order, enabling the law firm board to decide where easy wins for low investment cover the worst threats to your law firm brand. Like insurance policies, the more you invest, the more security cover you put in place.
We speak to new prospective law firms and existing law firm clients daily, currently supporting over 130 law firms, and they all have the same concerns.
What are law firms’ 7 key current security worries?
1. Being hacked, protection of client data being leaked and having to go public.
2. They are not 100% sure if their backups are secure, but the risk of taking the whole firm down and not getting assets back is too high a risk as well as a poor reflection on them.
3. Some don’t fully understand how it works in the cloud.
4. They’re not sure if they have the right amount of security and management on their mobile devices.
5. They’re not familiar with how air-gapping works. (Advanced data protection feature used to isolate and detach target storage volumes from unsecure networks). In a nutshell, when air-gapped volumes are ‘turned-off’, no one can gain access to your data.
6. Question marks around having the correct customer and staff security policies in place and implementing them.
7. Concerns about patching their systems and securing potential vulnerabilities
Ultimately, it is just a never-ending cycle that everyone needs to play their role in.
No law firm practice wants to be involved in any breach, hack or ransomware attack that puts their firm’s reputation and client’s data at risk, and you are probably hopeful that your head of IT has it all in hand – but do they?
So, what’s your approach and what’s in it for YOU by exploring this further?
Initially, we can complete a complimentary ICT security health check across your firm, so you have a completely independent report sent to you with all the facts. The good, the bad and the ugly will be on the table. There’s no costs or expectations, but as we do this, we can also assist with the above seven key worries and provide awareness of which has the highest priority. You can then at least make the decision of whether to do something, understanding where all the high, medium and low risks, vulnerabilities, and their consequences.
From there, you can consider the options to fix them.
We understand you will have an existing supplier relationship in place and may do lots internally, but this is not about them, as we provide a full, objective overview of any weaknesses that present a risk to you and your firm.
With many of the hundreds of law firms we partner with, we don’t actually conduct any financial business together for a year or more. We can simply be used as a sounding board to bounce ideas off, and we can share what direction many of our existing law firms are taking and which risks they deem appropriate to cover and which are not.
If you find that the advice, support and knowledge we share with you earns us an opportunity to tender in the years ahead for any specific projects, then fantastic, but not expected. We’re happy to provide you with full and transparent advice first.
Managing risk is all about working out how much the firm needs to invest in critical areas. The more you spend, the more security that’s in place. The report sent will also allow your COLP to demonstrate to the SRA that you have formally reviewed all risks and you understand your high, medium, and low-risk areas and are dealing with them accordingly. You do not have to undertake any of the recommendations; simply demonstrate you are aware.
As a result, getting this complimentary health check has immediate value in several regards for you.
Author: Stephen Pritchard, Matrix247