How can law firms adapt to the cyber security threat
21 October 2019
This year’s Law Firms’ Survey showed cyber security risk to be an area of concern for all responding firms. Unsurprisingly; and consistent with last year’s survey when 82% of the Top 100 law firms said they were ‘somewhat or extremely concerned’ about cyber security; all law firms reported this year that they are concerned about Cyber security threats as regards meeting their ambitions and business objectives.
Law firms are increasingly targeted as they hold a wealth of sensitive data and large amounts of client money. Law firms have always been targeted for this reason but increased use of digital and cloud-based solutions means that the ‘attack surface’ and exposure to threats has increased.
Data security and privacy are hot topics in the media and corporate reputations are quickly tarnished. This year, every law firm has suffered a security incident.
Law firms consider the cyber security threat to be greater than one year ago; indeed it is cited as the second greatest threat behind Brexit. Given the elevated threat, it is perhaps concerning to see that there are few firms where cyber security risk is managed at the executive level.
Here we look at three elements of how law firms can adapt to the cyber security threat environment:
1. Making your firm “securable”
How do law firms make themselves more secure and resilient in the face of increased attacks?
The survey shows us that the Top 10 law firms are spending lots more on IT than other law firms.
For all firms “Improving use of technology” remains a priority, as does “standardising and centralising business processes and ways of working”.
Organisations tend to improve security and respond to incidents by layering security controls onto what is already an overly complex environment. Making a firm ‘securable’ often requires new ways of thinking, re-engineered business processes and a re-imagining of technology infrastructure.
2. Complexity is the enemy of good security
Law firms often have many customised systems, bespoke applications and several case management systems, often doing a similar job to other systems in the same firm. This increases the ‘attack surface’ unnecessarily and exposes the firm to risk. This also increases the cost and complexity of maintaining and patching systems.
Stripping out complexity can reduce cost and help improve security. Fewer and simpler systems, used in the correct way, are easier to maintain and keep secure. In addition, if systems can be used as originally intended: ‘off the shelf’ without customisation, this can also make the system easier to protect.
3. Multi-year transformation and the [increased] cost of doing business in the digital age
Strengthening cyber security capabilities comes at a cost and is likely to require investment over multiple years. There is no real quick fix to making a firm secure-able. Managing partners need to be prepared to invest to improve security over an extended period. It is then unlikely that spending levels will return to pre-investment ‘norms’ – essentially, there is an increased, ongoing cost of doing business in the digital age.
Ultimately, though, it all comes down to a change of perspective on ‘value’. Investing in a law firm’s cyber security will not show up in traditional measures of return on investment. However, it is possible to show the value of a data breach not happening, and the value of keeping clients’ data, client monies and the firm’s data secure.
The cyber security threat is recognised by all law firms as a high priority risk that could prevent the achievement of business objectives. However, recognising the risk is only the first step. The survey shows that this risk is, typically, not owned at the executive level. Law firms need to act and executive ownership and tone from the top are essential for managing this risk effectively.
If you would like to speak to one of our experts or find out more about how to address these security threats, then please get in touch.