Lawyer Monthly - November 2021 Edition

24 WWW.LAWYER-MONTHLY.COM | NOV 2021 EXPLORING THE CYBER THREATS FACING LEGAL SERVICES costing current clients and numerous new business opportunities. It is therefore crucial that legal practices start taking the necessary steps toward improving and implementing cyber security measures to properly protect client and business data. Taking action Those in the legal sector yet to examine their security levels and act are risking the serious repercussions that come with cyber-attacks. With phishing attacks the most prolific, it is important for legal firms to properly educate employees on the signs of a phishing attempt and how to respond. It can also be useful to introduce policies and processes centred around ensuring monetary transfers are secure, especially if requested via email. To avoid insider risks, legal practices must keep data highly protected and inaccessible to unauthorised personnel within the company. A general rule of thumb for employees is that they should only ever be able to access the data and systems needed to perform their job role; anything else is a security risk and should be avoided. User monitoring can also be helpful for law firms so anomalous or suspicious activity can be detected and investigated in case it is an attempted breach of data. Many cybersecurity solutions on the market offer this kind of threat detection AI in conjunction with a team of specialised cyber security analysts to verify the legitimacy of threats. Cultivating a general culture of cybersecurity awareness in a legal firm ensures employees are vigilant and proactive to help prevent and respond to attacks. Introducing security policies and requiring all employees to read them as part of the onboarding process encourages this awareness and focuses their attention on where they can assist – for example, using strong passwords, inspecting emails, locking screens when away from a desk, and so on. More and more legal practices are also adopting certain cybersecurity standards that are centred around key security controls and achieving the relevant certification that indicates the company has these measures in place. In the UK, some popular ones include ISO27001, which is internationally recognised, and the UK Government’s cyber security standard, Cyber Essentials, which helps a company reduce 80% of its risk by aligning with five critical technical controls: Firewalls and Internet Gateways, Secure Configuration, Patch Management, Access Control and Malware Protection. The Cyber Essentials certification is actively encouraged by the Law Society and the SRA, the latter of which recently reporting that firms certified to Cyber Essentials Plus were more likely to have good policies and processes in place to help protect against cybercrime. The legal sector will remain a top target for cybercriminals due to the sensitive nature of data and money held, so law firms need to stay one step ahead. Mitigating the threat of data breach is possible with the correct implementation of cybersecurity solutions and standards, complemented by building an awareness and understanding throughout the legal workforce around the dangers of cyber- attacks and the importance of data protection. With these measures working side by side, legal services can stay secure, maintain a good reputation, and protect client confidentiality. If a legal firm experiences a data breach, this sends a message to their clients, partners, suppliers, and stakeholders that they are not a secure business and data held by them is not being protected effectively.