Is The Industry’s Guidance On Cybersecurity Being Ignored?

Law firms are increasingly finding themselves in the crosshairs of cybercriminals.

For threat actors, the logic in targeting such enterprises is simple; law firms manage highly sensitive data that, if stolen, can offer lucrative rewards.

 To provide some context, the pandemic instigated a mass transition to cloud-based operating models, with many legal documents now stored, managed and collaborated on digitally. Having recently surveyed 150 legal professionals in a UK Legal Services Cybersecurity Survey Research Report, we found that almost half of law firms (47%) had introduced digital services.

 For many, this has simply been a question of necessity. From cost management to rising client expectations, law firms must adapt, not just to operate successfully in the new normal, but also to unlock competitive advantages and overcome new obstacles. And they have done so, tapping into technologies spanning digital case and document management, cloud-based billing and expenses systems, legal customer relationship management tools and online collaboration platforms. 

Through the adoption of such technologies, law firms’ digital footprints have grown, expanding the attack surface, while the volume and sophistication of threats have also increased. These include what we term Highly Evasive Adaptive Threats (HEAT). Specifically designed to target web browsers, they can evade multiple layers of detection in security stacks and bypass common web security measures to deliver damaging malware or compromise credentials.

So as professionals increasingly work in their browsers, attackers adapt to target those users directly. As a result, firms are faltering in the face of new threats. Our survey of legal professionals shows that more than a quarter (26%) work in a law firm that has experienced a cyberattack.

Industry bodies are paving the path to best practice

Within this context, the industry has never been in greater need of clear policies and best practice advice concerning cybersecurity. Here, industry bodies are stepping up to the plate. Both the Solicitors Regulation Authority (SRA) and The Law Society have published guidance for the legal industry, offering support in developing cybersecurity policies and procedures.

 The Council for Licensed Conveyancers (CLC) has also demonstrated its advocacy of consolidated cyber practices among law firms, raising the idea that such enterprises should be required to purchase standalone cyber insurance in a consultation paper in 2021. Of course, such efforts will only be successful if they are well received by law firms. On the face of it, it would seem as though they are.

 According to PwC’s latest Annual Top 100 Law Firm Survey 4 published in October 2021, the top 100 UK law firms highlighted cyberattacks as the biggest threat to their ambitions. Further, nine in 10 expressed concerns over the impact of cyber threats on their business.  

Our own survey demonstrates similar sentiment, with 92% of legal professionals saying that the reputational damage caused by a major cyberattack could be “damaging” or “very damaging”. Meanwhile, 90% were concerned about the potential inability to operate, and 87% over data loss.

 It seems therefore that all the ingredients for law firms to embrace cyber best practices as a priority are present. But there is a disconnect between sentiment and implementation. 

Firms are failing to act on key advice

While legal industry bodies are taking serious strides to provide guidance on avoiding attacks, it is surprising to see here that many firms are yet to act on this advice. When asked about the industry advice and guidance published by The Law Society and the SRA, our survey reveals that while the majority of respondents are aware of it, only a third have read it.

What is concerning is that the study also suggests that firms are failing to provide employees with adequate advice and direction on security best practice, despite the threats facing them.

A sizeable minority of respondents revealed they are not satisfied with the cybersecurity training they are receiving. While 77% of law firms have introduced more flexible operating models to enable home and hybrid working, just 58% of those are in law firms that have adapted their cybersecurity measures to support these changes. 

Unfortunately, where firms are failing to update training and best practice – key ingredients of a security-first culture – other concerning statistics have emerged. Only around half of legal services professionals are confident that their firm is well prepared to deal with an attack. Almost one in five say it’s not their responsibility to identify and report cyber threats, while 69% are satisfied they know how to deal with a phishing email, leaving around a third who do not. Security must be a priority, and this begins with following industry advice about the challenges.

There are some simple steps that law firms can take to improve their defences. This starts with identifying gaps in the security stack and adopting internal policies and procedures suitable for remote and hybrid working environments to effectively address new attack vectors.

Companies should also become aware of the concept of Zero Trust – an approach that moves away from the assumption that everything inside a network is safe, and towards a default-deny methodology. This recognises trust as a vulnerability and ensures that all traffic – emails, websites, videos, and other documents – is verified.

For law firms, achieving peace of mind is critical. As cybersecurity risks continue to rise, they will need to constantly rethink how they operate to ensure employees remain safe and confident in the way they work and serve their clients.

About the author: Mike East is VP Sales EMEA at Menlo Security.