The Continuous Leak. Law’s Turmoil With Cyber Security
Law, an industry with copious amounts of sensitive information and high profile clients, has been subject to a lot of focus from hackers.
Cyber-attacks in law firms increased by up to 20% between 2014 and 2016, with 73% of the UK top 100 targeted in the last year alone, highlighting the need to stay secure.
Attacks have occurred as recently as last month with DLA Piper suffering a ransomware attack that resulted in a required shutdown of all of their systems. According to the insurance firm, Lockton, which represents 27 of the top UK firms, the cost of the hack could run into the millions. It is no secret that a loss of income at this scale will have damaging effects on the firm, not to mention the loss of reputation as a secure and confidential firm which will take a considerable amount of time to recover.
The origin of all the chaos
Generally, the source of the first attack in a law firm, which follows the same trend as a number of other industries, is the employees:
- Email phishing aims to gain personal login and password details through clever use of wording and subjects such as client concerns encouraging the employee to cooperate.
And when considering who is most at risk there is a variance in results:
- The size of the firm creates variability in method of attack and effectiveness. Smaller firms tend to possess less sensitive information, meaning they are less beneficial to advanced criminal hackers.
- More junior criminal groups would pose a threat to those that have weaker defence systems. This has meant the number of attempted breaches in smaller firms is much higher than in larger, higher profile counterparts.
The method of attack also varies with attackers’ expertise:
- Lower skilled attackers rely on ransomware and other malware tactics in order to gain access. Smaller firms are more vulnerable to this as they are less likely to have defences or the means to recover files without paying the ransom demanded by hackers.
While many law firms are now rushing to set up high cost insurance policies to protect themselves in the event of an attack, this is counterproductive and could be seen as adding fuel to the flames.
Our view is that it is better to have a dual approach of better prevention and insuring rather than simply picking up the pieces afterwards. With that in mind, firms need to be proactive in their Cyber Security strategy and make it a core part of their client offering and have specialist board representation in this area.
The CISO option
Increasingly now progressive firms are adding the role of Chief Information Security Officer (CISO) to their key management team.
Working alongside IT Director forming a key part of IT strategy, the role of a CISO is to create a companywide constantly evolving method of layered defences allowing a flexibility and adaptability to attacks that may be capable of breaching more than a single line of defence. They develop a plan that prioritizes and categorizes threats, making managing them more effective providing increasing levels of security, and indeed true expertise in dealing with any major attack itself. CISOs truly specialise in building protective systems in order to prevent security breaches with most having multiple industry experience and being experts in new legislation like GDPR.
It is also good to note that firms that do so may also see that their insurance brokers are then increasingly competitive with their pricing for any policies offsetting some of the cost of this role.
Our CISO recruitment team
Here at First Point Group, our multinational reach has enabled us to build up an extensive base of CISO candidates who are capable of managing cyber security for even the largest databases and networks.
These can be on a contract basis to work with your IT team to develop a specific Cyber Security package, or indeed on a full time basis depending on the size of the firm.
Please do contact our expert Cyber Security Division to discuss how we may be able to assist you adding this expertise to your company, and indeed your client offering.
Other interesting related articles: