Getting Cybersecurity Right For Your Firm

July 2021

We live in challenging times.

Quite apart from the widespread disruption that COVID has wrought on all of our lives, you could also be mistaken for thinking that we were in the middle of some kind of ‘cyber war’. Not a day seems to go by without another headline telling us about the latest cyberattack, data theft or ransomware scenario. And for reasons that we will cover here, the pandemic has actually brought cybersecurity very much to the fore due to the technology demands placed by a largely remote and network-challenged workforce. And the legal profession is no different in this respect. Imagine having to tell all of your clients that cybercriminals were now in receipt of all of their data. Law firms handle significant volumes of confidential and sensitive information and client funds as part of their daily work. Like many other sectors, the legal profession is delivering and transacting in an increasingly online fashion – indeed there is a drive to become paperless. Firms need to be especially attentive towards the threat of any cyber attack taking into account the massive amount of sensitive and important client data held in their information systems.

And this is not a pie-in-the-sky scenario. Just recently we heard that the law firm acting for companies such as Ford, Boeing, Exxon, Marriott, Walgreen and others, was hacked in an apparent ransomware attack. In this attack it is feared that social security numbers, passport numbers, payment card information, medical information and biometric data were all stolen by cybercriminals. Here in the UK, the London Stock Exchange recently revealed a filing by a UK listed law firm who had suffered a cyber attack – once again, sensitive client information was compromised.

The remote and mobile challenge

We touched on the additional challenges that COVID has presented from a technology point of view. The UK has seen massive growth in both remote working and working on the move due to the pandemic – the legal profession has been equally affected. and the legal sector is very much included here. As we witness mobile and smart device usage continuing to grow, it brings about a corresponding rise in mobile security threats. Indeed, some reports even suggest that mobile devices could now account for more than 60 percent of digital fraud. As firms see a significant increase in people using their mobile devices for both work and personal use, they will need to face up to an entirely new set of challenges. And this updated landscape requires a contemporary way of thinking (and new solutions) in order for legal firms to defend themselves against cyber criminals.

Don’t trust anyone

With people increasingly working under a ‘hybrid’ model (a mix of working from home / the office / on the road) we look to technology to afford us the flexibility and ability to work anywhere. With most workers effectively not now tethered to a desk / desktop, firms require security platforms that support the new normal with solutions that provide remote workers with security whilst actively improving the employee experience. Firms need to ensure that employees are able to work on any device, which makes tools like multi factor authentication and a zero trust approach to security, absolutely crucial.

Organisations everywhere are adopting a ‘zero trust’ approach which places greater importance on identifying the real-time health of a user’s device and the ability to provide conditional access to corporate data as a result. Zero trust security is all about eliminating implicit trust. Effectively it is an interrogation of trust within networks or the trust between host and applications. Boiled down, zero trust implies that the best way to secure a network is to assume no level of trust whatsoever. Employing a zero-trust model supposes that no single person is able to solely execute any sort of change to the system that could affect the security of the system. One way to make this happen is to embrace a ‘zero touch’ mentality whereby human vulnerabilities are effectively replaced by automation. In all things ‘security’, humans are invariably the weakest point in any chain. Firms can mollify human error by adopting single sign-on solutions and strengthen security controls that oversee how and where employees get access to specific data.

Cloud Access Security Broker (CASB)

A CASB solution can optimise visibility across an organisation, by monitoring all user activity within cloud applications (company-approved and shadow apps) and enforce both internal policies and external compliance requirements. A CASB solution should additionally be adopted as part of a wider SIM/SIEM solution for the ultimate in forward-looking, secure data collection, monitoring, and consolidation. Many CASB solutions are designed with compliance in mind. They provide granular visibility and control over user interaction with cloud applications and broad audit trails of such user activity. They tend to operate as a system that is partly a filter, proxy and firewall between the users and cloud systems. They have capabilities to detect unsanctioned cloud applications, as well as sensitive data in transit. Organisations can use CASB to address specific use cases with their cloud providers and are perfect for centralised control, management and ease of use. With so much going on in the cloud as businesses strive to provide increased levels of remote access, there is the potential for data leakage in the cloud. Using CASB gives organisations the power to maintain visibility over data that has gone beyond the reach of on-premises tools. Detailed logs on all cloud transactions (logins, uploads, or downloads) are always recorded and app-specific behaviours are also logged, helping organisations know the whereabouts of data if it is shared.

National Cyber Security Centre (NCSC)

NCSC essentially sets out to help to make the UK a safe place to live and work online. Amongst other things, they provide schemes that can help your firm strengthen cybersecurity. For example, Cyber Essentials is a simple but effective Government-backed scheme that will help you to protect your firm against a whole range of the most common cyber attacks. It can help you to guard against the most common cyber threats and demonstrate your commitment to cyber security. It can reassure your clients that you are working to secure your IT against cyber attack, and can even help to attract new clients with the promise you have cyber security measures in place.Cyber Essentials Plus adopts the simple approach of Cyber Essentials trademark simplicity of approach but includes a hands-on technical verification. However, it is worrying to read research by Law.com that found that 40% of the leading 50 U.K. law firms still didn’t have the highest level of cybersecurity accreditation offered by Cyber Essentials Plus.

Cybersecurity has never been so important – whatever industry you work in. The pandemic has provided firms with technology challenges whilst also given cybercriminals an increased surface attack area. With COVID continuing to have an impact on remote working and working on the move, it is critical that your firm enjoys maximum protection against the development of any new cyber threats. Law firms are increasingly reliant on IT and technology which can leave them vulnerable to a whole host of malevolent cyber activity. If a firm loses access to their technology, has funds stolen or suffers any kind of data breach through a cyber attack, it can be devastating – financially and reputationally.