Read the original article by Steve Whiter, Appurity Managing Director, on law.com
Firms are using innovative technologies in novel ways as they adopt digital ways of working
Law firms aren’t just expected to protect their clients’ sensitive information – they have a legal and moral duty to do so.
Before the COVID-19 pandemic, when permanent in-office working was the norm, protecting clients’ data and mitigating against online threats was more straightforward. Firms knew where their lawyers were working and what networks they were connected to. And where meetings took place on-premise, sensitive data and files remained physically present.
Now, with hybrid and remote working practices having become the norm, clients are off-site, lawyers communicate through messaging applications – including on personal devices – and firms are using innovative technologies in novel ways as they adopt digital ways of working. In this digital-first landscape, all data is at risk. The good news is that new security solutions, pioneered by firms like VoxSmart, offer law firms a range of new tools to counter this threat.
Now more than ever, it is vital that law firms act to secure critical information. A commitment to strong cybersecurity practices often takes a backseat, however. While 90% of respondents surveyed in PwC’s Annual Lawyers’ survey in 2021 viewed cyber risk as the biggest threat to future growth ambitions, a 2022 survey conducted by IRN Research and commissioned by Menlo Security finds that 43% of UK law firms do not have procedures in place to deal with a cyberattack.
What are the core mistakes firms are making when it comes to protecting their clients’ – and their own – data? And what technology and processes can firms put in place to mitigate against the threat of data breaches?
Underestimating phishing attacks
The Solicitors Regulation Authority (SRA) notes that one of the most significant threats to the data held by law firms is phishing. And it’s not just the legal sector that is susceptible – phishing attacks are on the rise across several professional industries, and attacks are becoming more sophisticated in nature.
Almost all malware is delivered via email. If one user clicks on a malicious link, attackers have open season access to your systems, networks, files, and data. The email inbox is therefore the front line of any cyberattack.
Firms that fail in their obligation to protect sensitive information suffer from reduced credibility and a hit to client relations. But successful phishing attacks also have broader operational implications. If a firm falls victim to an attack that brings down networks, leaving lawyers unable to access critical case information and the infrastructure they need to work, billable hours suffer.
Regular security awareness training should be central to any firm’s cybersecurity and data protection plans, and all employees of the firm should attend – including senior management. Taking a proactive approach to cybersecurity is one way to protect against threats. To this end, firms should consider a cyberattack simulation. In analysing how your lawyers respond to a live threat, you can remediate any pain points that arrive, better preparing for a potential attack.
Failing to secure e-communications
The threat of data breaches isn’t just confined to malicious links in emails. SMS and instant messaging – including applications like WhatsApp and WeChat – have risen in popularity as a means of quick, seamless communication between lawyers and clients. The benefits for client-firm relations are numerous. But these applications can come with several security risks if not used correctly.
If your lawyers are communicating on-the-go, across multiple devices, connecting to multiple networks, how can you ensure that the content of their messages is secure?
Using communication capture or surveillance tools – like VoxSmart’s Mobile Capture and Communications Surveillance – ensures your lawyers’ conversations with each other and clients remain secure. Communication surveillance provides constant, in-depth monitoring of all channels of communication, with intelligent technology that can flag unusual behaviour or risky activity for review.
And monitoring communications comes with an additional benefit, too – in the event of a data breach, having full access to all messages sent and received by fee-earners provides insight into how the breach occurred, and enables outward transparency.
Lack of visibility into device or software usage
The rise in remote and hybrid working during the COVID-19 pandemic accelerated the use of personal devices for work purposes. Firms must have a grasp on how many of these personal devices are used, and what they are being used for, across their organisation.
Are applications installed on personal devices secure? Is there a policy and action plan in place for stolen or hacked devices? Is client data being accessed on personal devices across unsecure networks?
It is critical that firms have an up-to-date inventory of all devices and software used by everybody in the organisation. In the wake of a data breach or cybersecurity attack, IT departments must be able to identify and fix problems centrally. Understanding how devices are used and who they’re used by is a key element of some regulatory frameworks, like the Cyber Essentials Plus programme.
When it comes to hosting clients’ sensitive data, using secure, centralised cloud repositories is paramount. If employees are using insecure cloud services to store or change important files, data, or documents, this can cause serious headaches when firms come to audits and compliance reviews.
From communications surveillance to centralised cloud services, having the right technologies in place to protect sensitive data and mitigate against cyberthreats is imperative. Firms also must cultivate an awareness of the ongoing risks of cyber security among employees.
Taking proactive steps like these to avoid some of the common data protection mistakes is critical in the legal industry where protecting clients’ information is fundamental. Firms should begin interrogating their data security strategies today to mitigate against the threats of tomorrow.