Hardly a day passes without reading about another business being hit with a cyber attack. According to the Law Society in 2023 65% of UK Law Firms were the subject of a cyber attack. The Law Society Gazette reported that over the past 12 months this has increased to a staggering 77%. It is not just the smaller (perhaps less well prepared) firms being caught, there have been a notable number of very large firms being the subject of attack e.g Allen and Overy had a major ransomware attack last year, and we all remember the DLA Piper attack on 2017 which essentially shut the business down for weeks. The impact on firms can be huge both in terms of disruption to business, cost and reputational damage. It can also result in hefty fines from the regulator. The ICO can fine firms up to 4% of their annual turnover for not protecting client data and the SRA can issue fines up to 5% of turnover.
The threat does not only come internally, you also need to consider the threat from your supply chain. Remember the cyber attack from MSP, CTS this time last year? CTS were supplying IT services to around 40 firms, all of whom were impacted by the outage. One firm I know were without core IT service for almost 4 weeks.
Having spend the last 20+ years running IT for some of the worlds largest law firms and some smaller firms, IT Security has always been high up on my agenda
Why are law firms targets?
Law firms are often describes as the soft underbelly for attacks. Law firms hold highly confidential, personal and commercially sensitive information about clients. This together with having a reputation for not having particularly robust cyber defences in place makes them a key target for cyber criminals. Things are changing and law firms are now taking cyber security far more seriously than when I joined my first firm in 2005. Prior to joining the legal sector I worked in Financial Services where there was a much greater focus on security. When I joined my first law firm they didn’t even have a password policy in place and I had to drag them kicking and screaming into using (very simple) passwords. At one firm I even had the Senior Partner threatening to sack me if I didn’t remove the password from his mobile device!! Things are now generally very different although some firms I come across still only have very elementary security in place which clearly places them at huge risk.
What are the threats to firms?
The threats faced by law firms are no different to any other business and include phishing attacks, ransomware, DDOS, insider threats from disgruntled employees and attacks via your supply chain. Research undertaken by NetDocs suggests that in 2023 almost 60% of all cyber incidents and data breaches in law firms were caused by internal staff; phishing, clicking on web links or sending e mails to the wrong recipient. The pandemic also changed the security landscape significantly (and put more focus on it). It’s one thing protecting you own environment and perimeter when everyone is working in the office, but, remote working presents a very different challenge as you have much less control over the devices that people are using – hence the recent big focus on MFA, MDM etc
What action should firms be taking?
As a CIO for law firms I have always had responsibility for IT and data security. Protecting your firm from cyber attacks is a complex task and I believe requires a multi layered approach, made even harder because threats are continually changing. The layers will include:
- Protecting your perimeter to stop threats breaching your defences and getting into your environment. There are numerous tools to help you achieve this and as an IT leader you will be bombarded with sales calls to sell you the latest ‘must have’ tool. It would be very easy to spend significant amounts of money on the latest security tech, but the challenge is to select what is right for your environment and provides the defence to threats you are facing. I have seen firms buy security technology which in my view is completely unnecessary for a firm of that size and complexity whilst ignoring some other far more obvious vulnerabilities in their environment. One example is high street firm with around 40 people buying a security product which I couldn’t even justify at my international firm with 4500 users and 50 offices around the world – clearly a very good salesperson was involved!! The increasing move to a cloud based model will help mitigate some of this risk as the cloud provider will (should) have in built security models
- Educate your staff. For a law firm this is one of the most complex areas as we know that busy lawyers hate spending time in the classroom learning about non legal ‘stuff’ particularly IT! Attitudes are changing very fast and IT security training is now often compulsory along with compliance training etc. E learning and training modules which are tuned to individual users is helping. As I said above 60% of security incidents involve staff so it is critical to get his right; it is also not just a one off, ongoing user awareness is essential. In the past IT security has always been seen as the responsibility of IT and you can understand why as the main defence was by using technology, firewalls, anti virus etc. There is now far greater recognition that everyone in the business has a part to play in protecting it. IT may still drive the initiative but everyone needs to take responsibility for their own actions.
- Increasingly firms are making greater use of third parties in provisioning IT, this brings with it different challenges and you need to manage potential threats coming from your supply chain. Make sure your suppliers take security just as seriously as you do. If they don’t have robust security in place look to replace them. I was recently advising a firm on the selection of a new system, and we had selected a preferred supplier, however, as part of the due diligence we conducted a security review and they fell far short of our security requirements, consequently they did not get the business. If you have a breach and it was the fault of a supplier, the regulator will not care, as far as they are concerned the responsibility is yours. We are hearing a lot more about breaches coming in via your supply chain, it is serious threat so do your homework.
Doing it yourself vs using a managed service security provider
Large law firms including those that I have worked at normally have in house CISOs and cyber security teams, a luxury that most mid and smaller sized firms cannot afford (or perhaps need). For these firms cyber security generally falls under the remit of the already busy IT Team who struggle to provide the security the firm needs – this may be because they do not have the skills required or as often is the case, they do not have the time. I recently came across a law firm that had a security breach because they had not patched a key system, why? Because the person responsible for doing this was off sick.
There has been an increasing trend across law firms over the past few years to outsource parts of technology to third parties and use off premise solutions; be that cloud providers, managed service providers SaaS applications etc. I was an early adopter of this approach as I believed it gives us access to true experts in their field. As a CIO I have to provide the firm with a vast range of services from running the infrastructure, applications, telecoms, security, innovation etc etc and it is highly unlikely that I will have the depth of knowledge that a specialist in only one of these areas will have. In addition to getting that expert help, importantly it allowed my internal IT teams to focus on areas where they can add real value to the firm. Third parties can run a network just as well, if not better than I can and probably more cost effectively due to economies of scale. However, a third party is unlikely to understand my firm, how we operate, our processes and what we need from technology as well as I do. This is where we can add real value to the firm, so my model has always been to give the work to those that are best equipped to do it.
Following on from this, a more recent development has been the advent of specialist Managed Security Service Providers (MSSP’s) who manage your complete security provision. Unlike many internal IT security functions, the specialist MSSP will utilise the very latest security and monitoring tools and have highly experienced staff to keep your environment safe. This allows firms to access experts to manage security on a 24x7 basis at an affordable price. The MSSP will be constantly monitoring your environment, alerting you of any threats and remediating any events, often without you knowing. Like many cloud and SaaS developments it allows smaller firms to access technology and services that in the past have been the preserve of the largest firms. I have recently implemented this approach with a mid-sized firm, and it has immediately improved their security posture at little extra cost
How much should law firms be spending on Cyber Security?
There is no straightforward answer to this as much will depend upon the size and complexity of your firm and the maturity of your cyber environment. If we consider that an average firm will spend around 5% of its annual revenue on IT, it is not unreasonable to expect around 10% of that budget to be spent on cyber security.
One thing I frequently hear from IT is that the firm will not give me the money I need for security. How can I persuade them to give me the budget? Firstly, I think law firm management today have a far better understanding of the threat from cyber-attacks than they have ever had and also that mitigating these risks is not just a job for IT. With any business case that you take to the Board you need to clearly describe the problem you are trying to resolve and the value that the investment will deliver to the business and the impact of you not doing it. Don’t scare them but be forceful in your arguments. Use language that the Board will understand; they are generally lawyers and will not understand IT talk or even less, security talk. Go in with a highly technical presentation and they will switch off immediately. Ultimately what they want is for you (as a trusted advisor) is to reassure them that by taking your proposed action the firm will be safe. In front of the Board you talk business not IT – I always say that as a CIO I am a business leader that happens to be running an IT shop, not a technologist. Many who have come up through the technical ranks struggle with this.
Summary
- Cyber threats are increasing and all firms must take the risk seriously
- It is a firm wide responsibility to mitigate the risk, starting with the Board
- If you do not have the internal expertise/resource to manage the risk engage with a MSSP who will support you on this journey
- Cyber is not just IT, the human element is just as important, educate your staff
About the Author
Chris started his career in Financial Services holding senior IT positions at NPI Asset Management, Schroders, Henderson Investors and Cogent Investment Operations. He joined Law Firm Ashurst as CIO in 2002. Since leaving in 2009 he has undertaken a number of roles including Interim IT Director of International law firm Kennedys and CIO of Cloud e mail management company Mimecast.Chris is the former Global CIO of international law firm Clyde&Co where he managed an IT team of 150 staff across 45 offices globally and also lead the Business Acceptance Unit and Litigation Support. He advises a number of businesses on IT strategy and how to deliver value from technology.