In their recent Risk Outlook the SRA highlighted the key cyber threats that law firms should be aware of, including the increased vulnerabilities that arise with the adoption of hybrid working. James Doswell and Sharon Glynn of Travelers outline five ways to reduce your risk.

This year in the UK, nearly one-quarter of working adults reported having a flexible work schedule dividing their working hours between home and the office, according to the Office for National Statistics. In a hybrid environment it can be more difficult for law firms to ensure their staff comply with security policies designed to protect the vast amount of sensitive client information they manage. Cyber threat actors, keen to find vulnerable targets, will aim to exploit these potential security weaknesses for their benefit.

In the past two years, a confluence of factors has increased cyber vulnerability for the legal sector. The talent landscape has shifted, and law firms have had to adapt to attract or retain talent – even those firms that didn’t adopt flexible work before the pandemic. Firms have also been trying to develop new practice areas in response to evolving client needs – all while vying for talent and adopting a raft of new digital tools to help manage their work. These changes all make the sector more susceptible to cyberattack but there are things firms can do to minimise their risk – here are five.

1 Take stock of your regulatory risk

While cyber threats are always evolving, the Solicitors Regulation Authority’s (SRA) 2022 Risk Outlook identified the three major threats that law firms should factor into their cybersecurity strategy: phishing, ransomware, and attacks on third parties (such as providers that partner with firms and enable their flexible work capabilities). The SRA found that 80% of all cybercrimes reported to them last year were phishing attacks involving email.

When these attacks succeed, they can install malware on a firm’s computer, corrupt their systems, or allow a threat actor to steal information or money. Beyond email-based attacks, the SRA anticipates the sector will experience an increase in voice-based phishing attacks, or vishing, as threat actors attempt new methods of attack.

Ransomware, which the National Cyber Security Centre believes to be the biggest cybersecurity threat facing the UK currently, is a type of cyberattack in which a hacker installs malicious software on a computer or server, then threatens to release data or blocks access to it until a ransom is paid. The attacks spread quickly and can paralyze a system or network. Third-party attacks are another escalating risk as threat actors seek new methods of attack using routes that targets are less likely to anticipate.

Hybrid work environments can elevate these risks. An employee working in a relaxed environment at home may be more apt to fall for a phishing scheme or other traps. A firm’s newly expanded digital footprint, while making it possible to connect with employees and clients wherever they are located, also presents threat actors with a larger platform on which to launch attacks.

2 Fortify your firm

The expanding nature of cyber threats, paired with a decentralised workforce, make stringent risk management practices more critical to law firms looking to prevent a breach or limit its damage. A firm’s risk management strategy should involve evaluating what critical information needs to be protected, assessing its impact to the business if it is compromised, and developing a plan to prevent and respond to attacks so resources can be assigned accordingly.

3 Update your processes

Viewing these priorities through a flexible work lens may require additional changes:

  • Are current policies, controls and processes appropriate for decentralised teams?
  • What technology and training are needed to protect information and support employees working from home, as well as between home and the office?
  • How will personal devices used for work be secured?
  • What user-based protections and other security measures can help verify a person’s identity remotely and restrict access to sensitive information?

4 Get your tech right

Cloud-based services, which more firms have adopted to support flexible work in the past two years, can help address some of these concerns by providing enhanced security, automated identity management, and editable permissions to access information as needed. For example, says James Doswell, cyber risk manager:

“Technology can be utilised in these more diverse environments to bolster the human risk against ransomware and phishing attacks. Understanding where in the attack chain that security software sits, however, is vital. For example, an Endpoint Protection Platform (EPP) blocks a malicious executable file from ever being written and helps remove some of the risk around inadvertent ‘clicking the link’. An Endpoint Detection and Response (EDR) and an Extended Detection and Response (XDR) solution aims to proactively prevent security breaches by collecting data and applying data analytics and threat intelligence, then uses this information to detect potential threats and stop them from doing damage.”

Both of these systems are highly beneficial – the EPP for blocking all unknown, untrusted executable files; and the EDR/XDR solution for alerting in the event that malware gets through.

5 Have an open culture

This usually happens due to human error or trojan malware disguised as a legitimate product embedded within the supply chain. Threat actors rely on human weakness to exploit potential targets, so law firms must not only train employees on how to protect against cybersecurity risks, but also promote an open, nonpunitive culture that encourages employees to report security problems promptly. Sharon Glynn, Director at Travelers says:

“Culture is just as important as technology when it comes to protecting against cyber threats. A law firm’s prompt response to a cyberattack can help contain the financial and reputational damage it faces due to a breach, as well as potential litigation resulting from it. This requires a firm to have a no-blame culture in which employees feel safe coming forward and admitting to mistakes – and that culture needs to extend to employees working from home.”

Travelers can help clients in the legal sector develop a cyber risk management strategy tailored to their firm’s flexible work practices. 

The information provided in this document is for general information purposes only. It does not constitute legal or professional advice nor a recommendation to any individual or business of any product or service. Insurance coverage is governed by the actual terms and conditions of insurance as set out in the policy documentation and not by any of the information in this document. Travelers operates through several underwriting entities through the UK and across Europe. Please consult your policy documentation or visit the website for full information: travelers.co.uk and travelers.ie