The case for the defence: How law Firms can fight cyber attacks from the front line
18 March 2016
In the last three to four years the number of cyber attacks against all types of organisations has rocketed. Their complexity, too, has increased. And the rise volume and complexity is set to continue. PwC’s Law Firm Survey found a considerable increase in the sector, with 62% of firms saying they’d suffered from a security incident, up from 45% in 2014.
Cyber-criminals’ motivations vary. But whatever their intentions, they could all do serious damage to a law firm’s reputation, finances or even its absolute viability. The range and extent of cyber intrusions range from criminal opportunists all the way to nation-state level attacks. Some hackers are following the money, others are motivated by ideology. Some, a mixture of the two. But all present a real threat. And increasingly they are finding ways to attack firms from the inside rather than spending the time and effort to penetrate through an IT system’s perimeter security. They do this by targeting individuals within an organization who can be tricked into providing access. And a law firm, whose principle asset is its large numbers of people all connected to both their own and others’ systems, offers a target-rich environment.
Law firms are uniquely attractive because of that data integration with many different organisations. They are involved in transactions that frequently include many different parties. They are responsible for moving and managing clients money, as well as their own. And their activities make them particularly attractive to cyber criminals. We’ve seen relatively sophisticated thefts attempted by well-organized and patient criminals who, once they’ve penetrated a firms’ system, are prepared to watch the progress of a transaction for months, learn about it and wait until the very last minute before diverting the final transfer of funds. Nation states, with an interest in commodities trades or intellectual property are also drawn to law firms’ connections with large corporate clients as are cyber terrorists and ‘hacktivists’.
So given the extent of challenges they face, what steps should law firms take to defend themselves? Reassuringly, we are seeing considerable increase in spending on securing technology. And that is clearly important. However, the most likely route into a firm’s system is via its people. That means committed efforts to create awareness of attack strategies and change behaviour to adapt will be more important than ever to support robust security. That may mean finding ways to mandate changes in behaviour by, for example, linking compliance with reward. Fee-earners need to be provided with the incentives and the means to adapt their behaviour to develop a culture of security across the firm.
With the growing regulatory emphasis on data security and the awareness of the duty to protect information, law firms are especially exposed to the risks that could arise from a major breach. While the loss of client funds is a serious matter, it pales in comparison to the reputational damage that a successful, high-profile attack could cause. Cyber security is not a risk that can be left to the IT team to manage. It’s a challenge that cuts across the whole organisation. And the actions to address it need to start at the very top.