Cyber security is not an just an issue your IT guy needs to address. Rather, cyber security is an issue that the firm’s leaders need to address. It’s an issue requiring education of all staff and the introduction of operational processes that the whole firm needs to be aware of, and compliant with, in order to minimise any future risk.
In LexisNexis’s 2019 Decoding Cybersecurity: Clause and Effect Roadshow nearly half of the contributing practitioners in a survey said they are not well prepared to act in case of a cyber attack. Almost half of the legal industry surveyed reported Australia’s cyber security laws are insufficient. Whilst 72% are concerned current regulations are open to privacy breaches. Significantly, more than 85 per cent believe the legal industry still needs to upskill in cyber security measures.
Lawyers control confidential and sensitive data
Law firms handle some of the most confidential and sensitive client information. So, what cyber security risks is this information vulnerable to?
Steps the legal profession has taken to embrace technology thus far have been small but significant. As law firms embrace technology, they must concurrently, address the cyber security risks they may face in the future.
Loss of sensitive data
It is well known to cyber criminals and the public generally, that law firms possess some of the most confidential and sensitive client information. When handling data of this nature, it is important to ensure the appropriate security measures are in place. Although some lawyers use cloud storage services such as Dropbox, most if not all law firms communicate using email. Email communications are vulnerable to scams such as phishing.
By way of explanation, phishing is the process of fraudulent emails being sent to internet users with the aim of obtaining sensitive information. An example of a phishing scam involving a law firm includes emails being sent by hackers under the client’s disguise. If an employee clicks on attachments/links in such an email, they will be redirected to a malicious site demanding sensitive information. Therefore, to prevent this from happening, it is important to educate staff members about distinguishing between legitimate and fraudulent emails.
The cyber attack on DLA Piper
You may recall in 2017, the well-known law firm DLA Piper shut down digital operations due to malware on their system.
This incident involved the NotPetya malware and spectacularly demonstrated the potential damage that cyber events can cause in terms of business interruption, loss of data and income, and remediation costs.
The malware spread from computers that had not been patched for vulnerabilities to computers that had been patched. It took only one unpatched computer in a network to cause chaos.
Could this affect a small law firm? The answer is yes and relevant to this point, it has been reported that 22% of small businesses breached by this 2017 ransomware attack and the WannaCry attack in the same year, could not continue operating!
DLA Piper was one firm of many businesses affected globally. In DLA Piper’s case the malware compromised operations for days as the firm’s lawyers had no access, and then only limited access, to computer systems or email. Apparently, the firm had to spend 15,000 hours in overtime for its IT employees to address the issues.
The DLA Piper incident did not leak client information, but what happens if firms cannot stop data breaches on time? Not having the necessary protections in place equates to not handling customer information properly.
Lawyers must abide by their legal and ethical obligations not only to follow the rules of the profession, but also to foster trust with their clients.
Adequate cyber insurance and staff education are the solutions
Regardless of the size of your law firm the possibility of cyber attack is real. It would be a backward step to restrict technology in your law firm. With appropriate insurance protections in place as well as education programs for employees, your firm can also become a secure, technology-friendly environment.