By John Wareing, Legal Security Consultant, Red Helix
The legal sector has seen rapid digitalisation over recent years, partly driven by the remote working forced upon legal staff during the pandemic and partly due to the efficiencies enabled by new technologies. Firms are continuing to reduce their reliance on working with local networks and using hard copy documents, moving to cloud-based, mobile technologies and CRM systems that grant more flexibility and additional capabilities to increase productivity, attract new staff and win more clients.
However, due to the nature of the work and sensitive data it deals with, there is a high level of risk that comes with the legal sector utilising technology. Law firms are a prime target for cyber criminals and as more devices and digital tech expand the threat landscape across the sector, cyber risk remains a key concern. This is evidenced in PwC’s 2022 law firms’ survey, which revealed that 78% of the Top 100 law firms indicated cyber risk as something they are extremely or somewhat concerned about.
The legal sector has also been heavily affected by the talent shortage brought about by the pandemic, with 45% of firms citing retention as their biggest challenge during this period. While offering a good salary and work/life balance go a long way in retaining employees, there has been a growing focus on the security of an organisation. Legal professionals are not only including security and risk in their decisions to join a firm, but documented attacks may also provide them with a reason to leave, shown by a recent report which found half of staff might quit following a cyber attack.
As cyber criminals continue to evolve their tactics alongside the technological advances in the industry, the sector’s cyber response also needs to evolve, taking a proactive response to security. Law firms must ensure they not only have cyber security protection and training in place, but that the security estate they are using is fit for purpose and they have the right talent to manage it – or else risk breaches, which can lead to huge financial, reputational and personnel losses.
A security estate that is fit for purpose
Knowing what security is right for your firm is easier said than done. As industries across the board have become ever more reliant on digital ways of working, cyber security itself has become an increasingly noisy space, with a current market value of over $150 billion worldwide. With the expansive list of different options to chose from, how do you know which cyber security approach will be right for you?
The first thing to remember is that there isn’t a one-size-fits-all solution. Different law firms operate within different environments, using a wide array of systems, which will require different types of protection, and there are companies that can help you identify and address your security priorities.
While there are cyber security basics that should be in place for all firms – such as endpoint protection, threat detection and response, and zero trust network access – the only way to know the effectiveness of your current system is to regularly test your environment against real threats. In doing so, you can find and address any gaps in your security estate – before they s are found and exploited by hackers.
The same applies to cyber awareness training for your staff. With the threat landscape continuing to grow, providing a one-off or annual training session isn’t enough to fully protect your organisation. Instead, regular awareness testing needs to be conducted to identify any gaps in your employees’ knowledge, followed by regular training to keep up to date with the latest threats.
Cyber regulations in the legal sector
Another point to consider in achieving a high standard of cyber security in the legal sector is the increase in government regulations. New laws have been proposed to strengthen cyber resilience in the UK, and while these have been mainly targeted towards ensuring external providers meet a required standard, there are also growing levels of legislation across other industries.
The EU financial services sector will soon see the introduction of the Digital Operational Resilience Act, with the UK already hinting at an equivalent bill to protect financial services in the country. Additionally, the telecommunications industry has also been presented with new regulations under the Telecommunications Security Act.
With both of these targeting industries crucial to the UK infrastructure, it is only a matter of time before further legislation is directed towards the legal sector. There is already a directive for all businesses to meet the criteria of a digital I.D. and trust framework, as well as large fines for companies that are subjected to a data breach. With more regulations likely to be introduced, firms need to ensure their security is up to standard in advance.
Not only will testing your cyber security model ensure you are prepared for any mandatory requirements that hit legal services in the future, but being able to demonstrate your security performance envelope will also help secure work with international partners that already have strict regulations to adhere to, as well as supporting compliance with growing cyber insurance checklists.
Secure now and ready for the future
The growing digitalisation of the legal sector is undoubtably something that should be celebrated, driving efficiency, productivity and allowing for new ways of working. It does, however, bring increased risk to an already heavily targeted industry meaning cyber security measures need to be particularly strong within legal organisations.
To ensure strength, firms need to regularly test and assess the level of security provided across their full environment, including all systems and devices. It is also imperative to provide regular training and assessment of staff’s cyber awareness, to avoid falling victim to attacks that target the human factor.
By committing to regular testing, your organisation can continue to tune its security maturity, protecting it and complying with any future legislation. Only then can your cyber security posture evolve with the threat landscape instead of just ticking a box, helping you to win and retain clients and staff for the long-term.