Home / LITL 2019 security special
Law firms explain what’s on the agenda for managing the risk of cyberattack
Cyberattacks are on the rise. We asked law firms what’s on their agendas for managing cyber risk, including client audits and the benefits of having a dedicated CISO
Cybersecurity was one of two new ‘priority risks’ to make the Solicitors Regulation Authority’s set of 10 in its 2018/2019 risk outlook. It is, of course, hardly a new risk. “But we recognise that this is of increasing concern to the profession, so we have set it out as a separate risk,” the SRA said in its foreword to this regular report.
The regulator itself received 157 reports of cybercrime back in 2017, up 52% on 2016 – and of course, the nature of attacks continues to evolve. In 2017, for example, it says that email fraud fell to an average of just under half (46%) of those crossing its path; in the first quarter of 2018 this had shot up to 71%. Email modification, or so-called ‘Friday afternoon’, fraud is the most common of the scams that hit law firms, where criminals falsify emails from a supposed client, (or the firm itself) leading to new bank details being handed over by one or the other. And of course, there are the likes of phishing/vishing activity and malware/ransomware – both of which were also singled out in the UK National Cyber Security Centre’s first report on the threat level facing the legal sector specifically in 2018.
The number of law firms reporting information security incidents is on the up. In July 2018, the National Cyber Security Centre (NCSC), part of GCHQ, found that 60% of law firms had reported some form of information security incident in 2016–2017 – an increase of almost 20% on the previous 12 months. Richard Brent and Andrew Muir report on what, if anything, can be done.
In Legal IT landscapes 2019, only 15% of law firm leaders reported that somebody with the specific title CISO is the most senior person responsible for information security in their firm (p9). At three-fifths of firms it is a CIO or IT director, and at a quarter of firms it’s somebody else entirely. Assessing and deciding exactly what needs to be done to prepare is perhaps the difference that a chief information security officer can make.
Dean Hill, executive director at Eze Castle Integration, says law firms are becoming increasingly knowledgeable about the range of cybersecurity attacks they could expect to see targeting their systems. Proper incident response continues to be business-critical – but certain actions can also reduce the likelihood of a successful attempt in the first place.