Is GDPR Still Very Confusing?
As cyber attacks increase, too many law firms fail to understand the threat or how to protect themselves, reveals a new poll.
A new poll shows around four in ten legal practices are still confused about GDPR rules, and only around one in four see cyberattacks as a leading risk to their business.
The poll comes on the back of a survey earlier this year from the National Cyber Security Programme that revealed nearly half of UK businesses experienced at least one cyber security breach or attack in 2017.
The legal sector is beginning to realise it is at significant risk of cybercrime, not least because of the sensitive client personal data, commercial confidential information and significant monies held by law firms, says Chris Mallett, Broking Manager for Aon which commissioned the latest poll.
Chris Mallett points to increasing vulnerabilities associated with the growth of flexible working with staff accessing data on-the-go via their own personal computers, smart phones or tablets.
Yet the poll of 1000 SMEs carried out through OnePoll shows more than one in seven in the legal sector allow staff to access data on their personal devices. In addition, the poll reveals around a third of those surveyed were unaware of the time limit for reporting a problem, leaving them open to hefty fines.
The EU rules known as GDPR, which came into force in the UK in May, drastically increased potential penalties on companies found to have misused or mismanaged clients’ personal data. According to Dr Emma Philpott this has caused companies to focus on this issue, but the concern is this was, for many, a short-lived effect.
Dr Philpott is managing director of the UK Cyber Security Forum and CEO of the IASME Consortium, an accreditation body for assessing and certifying against the Government’s Cyber Essentials Scheme.
“As soon as the deadline for GDPR passed too many SMEs thought that was job done and that’s where their responsibility ended,” she says.
Philpott believes the big data breaches in the Press help to raise awareness but they can also cause data breach fatigue; a sense that the time, cost and high-end security to tackle this is complicated and overwhelming for an SME. “When in fact the basics don’t cost much,” she says. “Educating staff doesn’t cost anything other than time.”
Peter Wright, author of the Law Society Cyber Security Toolkit and managing director of DigitalLawUK, says too many companies don’t believe they’ll be hacked because they are a small, independent practice.
“But a malware attack is totally indiscriminate. When the WannaCry malware attack took place, Renault-Nissan and the NHS weren’t specifically targeted,” says Wright. “It was their operating systems being out of date and unsupported that compromised them, and the same can happen to any other organisation, including independent practices, however small, and however out of the way their location.”
Some companies remain resistant to change in working practices to improve security, adds Peter Wright. “They worry their clients won’t like the changes, and we have to remind them they are less likely to want a data breach.”
There is also a misconception that the damage is confined to a fine if a company gets this wrong and Wright stresses that a fine, while it can be substantial, is the last thing companies should worry about.
“It’s the reputational damage that can be the hardest to recover from if a company isn’t seen to be aware of the risk and ready to deal with any attack,” says Wright. “That can hit turnover and future clients and even partners who might decide to leave and join a different firm.”
While all law firms have solicitors’ professional indemnity insurance (PII) in place, there are often significant costs that professional indemnity won’t pick up, adds Aon’s Chris Mallett, who points to the poll results showing more than one in four of legal practices believe they’re covered by their PII, while the same proportion admit to not insuring against cyber risks.
“This can leave a business facing hefty bills when they discover their PII doesn’t cover all costs,” says Chris Mallett, who says companies are surprised by how affordable cyber insurance is. “Specialist policies not only cover for the cost of responding to a breach, but also the costs of damages you’re legally liable to pay in the event of a breach or security failure, as well as associated legal costs.”