David Aird
IT director,
DAC Beachcroft
DAC Beachcroft
Research comment
LITL 2019 security special
reports|March 2019Law firms explain what’s on the agenda for managing the risk of cyberattack
GET YOUR COPY NOW
INSIDE
Protective powers
Cyberattacks are on the rise. We asked law firms what’s on their agendas for managing cyber risk, including client audits and the benefits of having a dedicated CISO
WHO'S WHO THIS MONTH
Karen Jacks
IT director,
Bird & Bird
Bird & Bird
Research comment
ISSUES IN BRIEF
Cybersecurity was one of two new ‘priority risks’ to make the Solicitors Regulation Authority’s set of 10 in its 2018/2019 risk outlook. It is, of course, hardly a new risk. “But we recognise that this is of increasing concern to the profession, so we have set it out as a separate risk,” the SRA said in its foreword to this regular report.
The regulator itself received 157 reports of cybercrime back in 2017, up 52% on 2016 – and of course, the nature of attacks continues to evolve. In 2017, for example, it says that email fraud fell to an average of just under half (46%) of those crossing its path; in the first quarter of 2018 this had shot up to 71%. Email modification, or so-called ‘Friday afternoon’, fraud is the most common of the scams that hit law firms, where criminals falsify emails from a supposed client, (or the firm itself) leading to new bank details being handed over by one or the other. And of course, there are the likes of phishing/vishing activity and malware/ransomware – both of which were also singled out in the UK National Cyber Security Centre’s first report on the threat level facing the legal sector specifically in 2018.
PLACE YOUR THREATS
The number of law firms reporting information security incidents is on the up. In July 2018, the National Cyber Security Centre (NCSC), part of GCHQ, found that 60% of law firms had reported some form of information security incident in 2016–2017 – an increase of almost 20% on the previous 12 months. Richard Brent and Andrew Muir report on what, if anything, can be done.
I NEED A CISO?
In Legal IT landscapes 2019, only 15% of law firm leaders reported that somebody with the specific title CISO is the most senior person responsible for information security in their firm (p9). At three-fifths of firms it is a CIO or IT director, and at a quarter of firms it’s somebody else entirely. Assessing and deciding exactly what needs to be done to prepare is perhaps the difference that a chief information security officer can make.
MINDSET THE GAP?
Dean Hill, executive director at Eze Castle Integration, says law firms are becoming increasingly knowledgeable about the range of cybersecurity attacks they could expect to see targeting their systems. Proper incident response continues to be business-critical – but certain actions can also reduce the likelihood of a successful attempt in the first place.
