Alex Heshmaty discusses what firms should be doing to address cybersecurity threats and protect client data
Most law firms now rely on their IT infrastructures for day-to-day business. The pandemic sped up the process of digital transformation in the legal sector. Although this has brought benefits, such as the ability to work remotely, ensuring that your IT systems are robust is now a business-critical issue. Today, lawyers who cannot access their practice management software, email or digital research tools are often unable to do their job.
Furthermore, law firms are now routinely storing and processing vast troves of client data, much of it sensitive and valuable. The consequences of this data getting into the wrong hands can be devastating, both for clients and the reputation of the firm. It is therefore crucial that firms adopt sufficient cybersecurity measures to prevent attacks on their IT infrastructure and data. In this article, we will explain the types of cybersecurity threats, the consequences of falling victim to a cyberattack, and how firms can bolster their defences.
Types of cybersecurity threat
It’s important to understand the main risks to the integrity of a firm’s IT systems and data. Cybersecurity threats broadly fall into the following categories:
According to a recent SRA report 60% of law firms feel their biggest potential vulnerability to cybercrime was “linked to the knowledge and behaviours of their staff.” This largely comes down to the potential for cyberattacks to be inadvertently facilitated by internal staff, for example, by clicking on a malicious link in an email. There are also more basic behavioural threats, such as working on a confidential document on a train or discussing a case over the phone in a public place. Sometimes, data is compromised simply due to an accident, such as losing a USB stick.
But despite firms being aware of these types of internal threats, the report found that 20% had never provided cybersecurity training to their staff. Clearly, improving cybersecurity awareness and changing behaviours through regular staff training can reduce risk. There are also technical measures which can be adopted to improve the situation, for example:
- Moving productivity software (including email) to the cloud means that lawyers don’t need to use USB sticks for transferring data between an office and home computer, eliminating the risk of a lost or misplaced USB stick.
- Implementing AI software which checks email recipients before an email is sent can minimise the possibility of sensitive information being inadvertently sent to the wrong person.
A more dangerous internal threat can be posed by a disgruntled member of staff or one who seeks financial gain by selling confidential data. This can be tackled, to some extent, with the deployment of individual logins to software tools to help track any activity on the firm’s IT systems.
Malicious external hackers
Direct cyberattacks on a firm’s IT systems from external sources are a fairly routine occurrence, and these can prove devastating if successful. Fortunately, most software now has integrated antivirus capabilities, but it’s vital that software updates are regularly applied. The cyberattack which led to some NHS hospitals having to cancel operations back in 2017 could have been prevented if the operating systems had been updated with the latest software patches.
Aside from ensuring that all software is regularly updated, as part of basic IT housekeeping, there are a huge range of antivirus products which can be purchased to further fortify cybersecurity.
Some of the most difficult cybersecurity threats are those which cannot easily be identified, or which are the result of very rare ‘act of God’ type events. Examples of these obscure threats include a fire or flooding in the computer server room.
Cyberattacks can inadvertently be facilitated by internal staff
Common types of cyberattack
There are a vast range of cyberattacks to which a law firm can fall victim. Although it is unnecessary for a practice manager to have a technical understanding of how these work, awareness of some of the key terms can help when instructing IT professionals. Here are a few of the key types of cyberattack, along with various relevant terminology:
Distributed denial of services (DDoS) attacks seek to cause disruption to websites and online services. Multiple compromised computer systems - often infected by a Trojan - will essentially overwhelm a website with traffic. During a DDoS attack, servers are flooded with messages, connection requests or malformed packets, causing network services to slow down or even crash and shut down entirely.
Brute force cracking
Cybercriminals attempting to gain access to encrypted data sometimes use software programs which make continued efforts to find the correct password. This trial and error technique methodically proceeds through all combinations of characters in sequence until it succeeds. The longer and more complex a password, the more time consuming it will be for a brute force crack to succeed.
Most people have encountered phishing while checking their email. Emanating from the advance-fee scam - also known as the ‘Nigerian Prince’ email scam - of the late 90s, phishing attacks generally attempt to extract financial or security information from unsuspecting individuals, or to install malware on their computers. In order to appear legitimate, emails dress themselves up in the livery of a trusted company or bank and attempt to disguise their originating email address. Phishing exercises generally cast the net wide (just like fishing) and hope to capture only a tiny fraction of the recipients. A more targeted variant is spear phishing, where an individual or select group is sent far more personalised emails purporting to come from a known individual (a friend or colleague).
Malware is the umbrella term for malicious software which unsuspectingly comes to be installed on a computer system or device. The aforementioned NHS cyberattack in 2017 was a result of ransomware which locked up computers which had not been patched and demanded payment to unlock them. Occasionally malware hides itself as spyware and, rather than locking up a device, it collects sensitive data such as passwords.
Digital communication, such as social media, presents ways for hackers to manipulate or blackmail employees into releasing security details or sensitive data.
Consequences of cyberattacks
There will be data protection implications for a law firm suffering a cyberattack, as well as potential reputational damage and a hit to productivity.
Article 5(1)(f) of the UK GDPR states that personal data should be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”. This is known as the “integrity and confidentiality” principle and requires firms to take steps to avoid a cyberattack which results in a data breach.
The Information Commissioner’s Office (ICO) can currently fine firms which fail to comply with the UK GDPR up to £17.5m or 4% of total annual worldwide turnover, whichever is higher. As well as a fine, a personal data breach can also trigger an ICO investigation.
Failure to implement sufficient cybersecurity measures can additionally expose a firm to enforcement action from the Solicitors Regulation Authority (SRA). Firms have an obligation to keep client information confidential under paragraph 6.3 of the SRA Code of Conduct for Solicitors and of the Code of Conduct for Firms. The SRA has a useful related section entitled “using advanced technology safely” on their technology and legal services web page.
As well as potential enforcement actions and fines as a result of a cyberattack, law firms can also suffer serious damage to their reputation, including potential loss of clients and future business. This is especially the case if it is determined by the ICO that a firm did not take adequate steps to protect confidential client data.
Even if data is not compromised in a cyberattack, any damage to a firm’s IT infrastructure can cause significant disruption and loss in terms of the productivity of fee earners. Lawyers may struggle to get any work done if they cannot access their files and emails.
As mentioned earlier, one of the results of successive lockdowns due to coronavirus (COVID-19) has been the digital transformation of many law firms, including implementation of IT systems which enable staff to work from home. However, a result of going paperless is that a failure of IT infrastructure can bring a firm to a standstill.
How should law firms react to a cyberattack?
There are several immediate steps which should be taken in the wake of a cybersecurity breach:
- Assess the scope of the cyberattack, including its specific type and scale.
- Take action to plug any existing security holes, update software, change passwords and carry out an assessment of the fixes.
- Identify the source of the cyberattack, for example, was it external or internal? If the source was internal, decide on any relevant disciplinary action.
- Consider how to prevent similar attacks in the future, updating any IT policies and procedures accordingly.
- Under the UK GDPR and Data Protection Act 2018, the ICO should be informed of personal data breaches within 72 hours (if feasible).
- Any individuals whose personal data has been exposed may also need to be informed.
- The incident should be recorded.
How can law firms prevent a cyberattack?
Maintaining awareness of cybersecurity threats and adopting a common sense approach to IT within your firm will go a long way to staving off potential debilitating cyberattacks. A number of specific measures can be taken to minimise the possibility of data breaches and damage to infrastructure, including:
Regular assessments of the IT and data security within your firm are crucial to detect any vulnerabilities.
Ensure that any software used is updated as soon as any security patches are released. Usually there is an auto-update feature, but this may need to be enabled.
Most people know the benefits of encrypting their data to prevent unauthorised access. However, it is often still necessary to switch on encryption settings.
Many firms are already working in the cloud, whereby staff can access the practice management system, email and other IT tools remotely. Using a cloud provider generally means that data is more secure, since they are responsible for updating software with the latest security patches. And providing staff with remote access via the cloud means that they won’t need to use USB sticks or send emails between office and home computers.
Employees, as well as contractors with access to key systems, should receive regular training, supplemented with a set of clear IT policies.