Strong Defences Are Not Enough – Why Lawyers Need a New Way to Think about Cybersecurity
By Jeremy Hendy, CEO at Skurio
How can law firms protect sensitive client information, now the changing nature of technology means data is no longer under their control? Jeremy Hendy, CEO of Skurio, explains why the profession needs a new, holistic approach to digital risk.
If you’ve been following legal news lately, you’ll know that a growing number of law firms are falling victim to cybersecurity attacks. February 2021 alone saw two major breaches in as many weeks, with hackers reportedly accessing mediation documents and other confidential client material.
Importantly, neither of these cases involved the firm’s own cybersecurity being breached. All the right solutions were in place, and all the patches up to date – yet two of the world’s biggest law firms had to inform clients that cybercriminals may have seen their private information.
This presents a new conundrum for lawyers. In a profession where trust and confidentiality are sacred, how do you keep clients’ secrets when your firm’s data is increasingly outside your control?
Your clients’ data has left the building
It’s easy to see why leading law firms take cybersecurity so seriously. The sensitive information lawyers hold is a high-value target for scammers; in research by PwC, 100% of firms surveyed had been subject to a recent cyberattack.
This data can be used in tactics from identity theft to conveyancing fraud – making it highly attractive to criminals, and meaning a breach can have potentially disastrous consequences for the client.
Once, good IT defences would go a long way towards keeping that information safe. But the changing face of technology, and legal work in general, means much of your data now lives outside your defences and your control.
The need to use the best technology, save costs, and access information from anywhere means third party cloud-based services are now an integral part of law’s IT landscape.
Both big breaches reported in February resulted from issues with a third-party tech supplier. They’re far from isolated incidents; just last May, 193 law firms had data exposed by a legal software platform in the UK – including phone numbers, eye colour, mothers’ maiden names and National Insurance details.
The fact that none of the legal practices concerned were directly responsible for the breach was unlikely to be much comfort to the clients affected.
Human beings are… well… human
The irreversible rise of cloud technology is not the only way your clients’ data is spreading outside your physical premises.
The surge in remote working over the last year is another trend that looks set to stay – with workers reluctant to return to the inconvenience and expense of a daily commute.
Outside your premises, busy colleagues are more likely to use their own devices to connect to your network, download applications without approval, or leave hardware unattended where it can be used or stolen.
But even on your site, and however good your training, human beings will always be fallible – whether they’re absent-mindedly clicking suspicious links, or making other basic errors.
2020 saw a string of malware and ransomware attacks that forced high-profile legal firms to shut down key systems and websites, and in one case allegedly compromised personal correspondence from celebrity clients.
Meanwhile, in the UK, a freedom of information request revealed an astonishing 41% of breaches reported by legal firms to the Information Commissioner’s Office were as a result of employees emailing the wrong person.
Time for an honest view of digital risk
With so much of your firm’s work, data, and technology now out in the world, there’s an important truth to face. The traditional IT security method of fortifying your network’s immediate perimeter is no longer enough. You can’t prevent every cyber breach.
We think it’s better to take a more holistic view of your digital risk, that combines strong defences with a keen eye on what’s happening outside your organisation. This way, you can minimise potential damage by reacting immediately when data or user credentials are compromised, and taking proactive measures when you spot a potential threat.
It’s a more practical approach, acknowledging the realities facing the industry today. We call it Digital Risk Protection.
Using smart automation and alerts, Digital Risk Protection gives you a clearer view of your whole risk landscape. This includes combing the Dark Web for discussions about your vulnerabilities, and signs that your data or credentials are being leaked, marketed or sold. It also monitors the internet for tactics like typosquatting, which scammers can use to target your clients.
This lets you prevent breaches by focusing your cybersecurity efforts around the most important threats, and revoking compromised credentials before they’re used.
Just as importantly, you can act fast when a leak does happen – to preserve client relationships, and show the relevant authorities evidence of your response – instead of waiting for the news to break.
Protect your data, wherever it lives
‘Digital Risk Protection’ performs that monitoring for you. It constantly searches the surface, deep, and Dark Web for your firm’s data and credentials – and alerts you instantly. So, you can take action, prevent attacks, and intervene before your clients’ private information can be used against them.
Through our extended use case support, this can include monitoring for client data, confidential documents, and details of your infrastructure.
Working with Lex Mundi, we already help to protect legal firms from Japan to Colombia, and we understand how the sensitive nature of client data can impact your risk profile. Every day, we see first-hand how breaches – especially those that aren’t your fault – are inevitable. And how much difference a fast, proactive response can make.
If you’d like to know more, please visit us at Skurio.com.