Cybersecurity and Law Firms

tsw-lockkey

Handling activities with large associated financial values such as property sales, or mergers and acquisitions, is making targeting law firms a highly attractive target for cyber criminals. Once hacked, law firms lose their most prestigious asset: their reputation. Clients will switch firms even if they just sense there is the potential risk of having personal data leaked.   Data is money, and even power.  It has to be protected at all costs.

It’s been suggested that law firms are not taking cybersecurity seriously enough and are not putting appropriate measures in place to avoid attack. Firewalls and antivirus systems may not be enough to ensure protection; clients are sometimes now asking firms to prove their cyber-security capabilities by requesting that periodic security audits and ‘ethical hacking’ exercises be carried out regularly to expose any weaknesses.

Law firms are the new target

Hackers have already breached the security systems of at least one major international law firm, transforming a long-predicted cyber espionage scenario into reality. In the US, two magic circle firms were among the top 48 firms targeted in order to gain sensitive information on mergers and acquisitions, highlighting the sophistication of hackers and their more bespoke approach to targeting firms in specific sectors or following high-profile business deals.

Yet it can be difficult to implement new cyber-security procedures within firms if senior partners do not adhere to them. For example, while firms may have policies barring the use of online storage services such as DropBox, some partners continue to use them (2).

Hacking is a growing threat

In 2014, 173 UK firms were investigated by the Information Commissioner’s Office in reference to a number of incidents that were suspected to have breached the Data Protection Act. A total of 187 incidents were recorded – 29% related to security and 26% related to the incorrect disclosure of data (5).

Victims of this rise in attacks are both big and small corporations; however, small businesses are becoming the easiest and preferred target due to a lack of security measures in place. In fact, half of last year’s cyber-attacks in the UK were directed at businesses employing fewer than 2,500 people (1).  With the majority of law firms falling within this bracket, cyber-security measures should be taken very seriously by everyone working in a law firm.

Particularly for law firms, many of the staff are decision makers, compared with other business sectors where only Managers or the Accounts department have access to important company information.  Conversely in a law firm, lawyers and partners have access to huge amounts of highly sensitive data about their clients.

Recommendations

The Metropolitan Police offers a variety of information on how to prevent firms from being hacked. The most relevant recommendations for law firms centre around protecting access to data, across: ensuring access control so that staff only have access to the files they need rather than granting company-wide access to shared folders.  Additionally, encrypting any information stored on removable media or portable devices and considering the use of systems that eliminate the need for any files to be stored on portable devices is important for controlling how and where data is stored.

In addition to this, firms should be making sure that any device connected to organisational systems, including remote working, is vetted for security. Data transmission within and beyond the firm should be secure at all ends and access rights for staff who have left the firm should be revoked immediately.  Predictably, it’s important as we know to conduct background checks on applicants, especially those who will have access to highly sensitive data – thinking about how employees could use or export data.  Are you making it too easy to quickly download all of your client information onto a hard drive?  Or are you providing adequate controls to employees who are using their own devices to record client information, such as tablets and mobiles?

Price Waterhouse Coopers also recommend to take other specific measures.  Firstly, some clients will have specific requirements around how their data is managed by the law firm.  IT Directors at law firms need to be mindful of how these requirements are adhered to over the long term so that standards remain high.

Secondly, a global law firm needs to be able to satisfy global clients on a global basis. So, sharing information across a global network in a secure way is critical, as is ensuring that data protection policies in each region are adhered to.

Finally, understanding what data you have, and where it is located is key.  With so many easily accessible cloud storage tools and USB products available, it can be a huge task to even figure out where information is stored.  Which applications have which data, who has used a USB stick to handle client data in the past year, and is anyone using DropBox or personal Microsoft and Google accounts to share information or send files?

Apart from the previous recommendations, it is also important to consider practices such as ethical hacking exercises, which are carried out from the inside to detect a firm’s weaknesses to uncover potential opportunities for hacking. One firm which is already carrying out this practice is London media specialist practice, Schillings.  The firm has recently rebranded itself as a risk consulting and technology security practice, even promoting its services to other law firms to help with penetration testing and ethical hacking exercises to test system vulnerability (1).

C24 is holding a specialist cyber-security and social engineering course that is nationally accredited and delivered by UK specialists who train police forces in cyber security.  Each place normally costs upwards of £300 ex VAT per delegate, but C24 is offering ten IT Managers, Directors or CIOs the opportunity to attend the accredited half-day course for free.

Register your interest here.

 

 

References

(1) https://www.thelawyer.com/issues/28-october-2013/cyber-security-lawyers-are-the-weakest-link/

(2) https://www.lawgazette.co.uk/practice/manda-hack-attack-on-48-elite-law-firms/5054524.article

(3) https://www.lawsociety.org.uk/news/stories/scams-against-solicitors-met-police-offer-advice-and-support-on-fraud-prevention/

(4) http://www.pwc.co.uk/industries/business-services/law-firms/insights/cyber-security-issues-facing-law-firms.html

(5) https://www.lawgazette.co.uk/practice/ico-probes-173-law-firms-over-data-protection-breaches/5048260.article

 

Embarking on a Data Journey Like a Start-Up

C24 Data Driven Firm Pic 1

In our recently launched whitepaper, we have been looking at how new professional services firms can integrate data analytics from the ground up, and how existing firms across the legal and accountancy sectors can look to start-up companies for a more entrepreneurial approach to big data.

Becoming data driven instead of data wary is a process, not a single project.  Many legal firms are now comfortable with the idea of using big data and analytics tools for management reporting and the preparation of financial data.  But the next step is moving along from Managing Information reporting, and building analytics activities into revenue growth and client facing activities.  For more information about moving on from MI reporting, read our other LinkedIn post on the subject.

We see the next step in moving away from MI reporting is Demand Generation: utilising internal and external data feeds to drive revenue through more targeted and measurable marketing activities.  We are in talks with legal firms who are now pulling feeds from Mailchimp, CRM systems and internal case management systems to drive marketing strategies; such as who to target, where most sales come from, profitability of certain customers and responses to recent mailshots/marketing initiatives.

This effort of going beyond MI is all about firms looking at how big data can be used to drive revenue and increase profitability.  Previously, it was good enough for data analytics to spot trends to reduce operational inefficiencies.  Reducing cost isn’t good enough on its own anymore, new technology purchases now have to show how they contribute to business growth.

Following on from better marketing by harnessing data, client retention can be improved by extending data reporting and information visibility capabilities out to clients.  Customers want to be kept up to date in real-time about their individual case developments; they don’t want to wait for a letter to find out information – they want it now.  Online portals that can be used to report back billing information, KPI performance data and key milestone achievements back to customers, without adding extra workload onto the lawyers.

The UK Law Firm Survey 2015 from PWC highlighted that the top 10 firms feel they are winning against their competition by deploying technology – and we think that big data must be one of the fundamental keys to success in growth against the competition.

In our whitepaper, titled “Building a data driven professional services firm” which is all about how to be data driven, not data wary, we talked to Martyn Wells, IT Director at leading UK law firm, Wright Hassall.

Martyn shared with us his thoughts on how data has become integral to many legal activities due to new regulations such as the “Jackson Reform” rules that stipulate that cost management budgets have to be submitted to courts for each case.  This process relies heavily on data to create accurate case costings in the required time.

Martyn also highlights in the whitepaper his views on how it is crucial to “convince with confidence” when taking staff on a data journey – the data has to be correct and everyone working from a single version of the truth to avoid errors occurring and staff becoming wary of using data tools with bad information.

Read the full whitepaper at our site.