Introduction
The recently publicised cyber-attack on conveyancing giant Simplify, and which cost the group nearly £7m, reminds us all that cybersecurity needs to continue to be a crucial element in the planning and management of all solicitors practices.
The Law Society’s Gazette reported earlier this month that newly published accounts for Simplify, which deals with over 250,000 conveyancing matters a year, show that the major IT systems outage experienced in November 2021 caused when an unauthorised third party temporarily gained access to systems, and to files containing personal data, confirmed that both the company and the wider Simplify group were the target of the cyber-attack. It is stated that restoration of systems “required the level of new cases taken in to be significantly reduced for a period of approximately 10 weeks, which has dampened the results for the financial year”.
Incidents of cyber attacks on law firms are on the increase. PwC’s Law Firms’ Survey 2022 highlights the cyber threats and challenges that firms are currently facing within the legal sector. The survey indicates that cyber threats remain a key concern, with 78% of the Top 100 reporting they are extremely or somewhat concerned about cyber threats, and cyber threats were the second joint highest concern reported across the Top 100 firms, and the highest concern for Top 26-50 firms. NOt that the threats are confined to the larger firms. All law firms of all sizes are vulnerable to a range of cyber threats including phishing, malware, ransomware and hacking with the interception of emails and thus potentially of client funds being one of the most worrying.
As the 2018 report from the National Cyber Security Centre highlighted, there are a number of factors that make law firms an attractive target for cyber attack. These include that “they hold sensitive client information, handle significant funds and are a key enabler in commercial and business transactions”. The report went on to say that that the risk “may be greater for law firms that advise particularly sensitive clients or work in locations that are hostile to the UK”, however, that does not mean that others are not equally exposed to risk and the increase in the provision of legal services digitally provide not only new opportunities but also further avenues for malicious cyber exploitation.
In an increasingly digital landscape, where technology underpins every aspect of our lives, the legal profession has witnessed a rapid shift towards digitalization. While this transformation offers immense convenience and efficiency, it also brings forth a range of cybersecurity challenges. It is vital, therefore, that solicitors, as custodians of sensitive client data and entrusted with legal affairs, exercise caution and adopt robust cybersecurity measures.
Being Cybersecurity Aware
The reasons why solicitors need to be vigilant and proactive in safeguarding their practices against cyber threats are numerous, but the key ones are:
- Protection of Client Confidentiality
Confidentiality is the cornerstone of the solicitor-client relationship. Solicitors handle a vast amount of sensitive information, ranging from personal details to financial records. Cybercriminals actively target law firms to gain unauthorised access to such valuable data, seeking to exploit it for various malicious purposes. A breach in client confidentiality not only damages the reputation of the solicitor but also violates the trust placed in them. By prioritising cybersecurity, solicitors can create a secure environment that safeguards client confidentiality and upholds professional ethics.
- Legal and Regulatory Compliance
Legal practices are subject to an array of data protection laws and regulations. The General Data Protection Regulation (GDPR) in the European Union, and the UK GDPR and Data protection Act 2018 require all organisations, including law firms, to implement appropriate security measures to protect personal data. By implementing stringent cybersecurity protocols, solicitors can demonstrate compliance and protect both themselves and their clients from the legal ramifications of breach.
- Financial Implications of Cybersecurity Incidents
Cybersecurity incidents can have devastating financial implications for legal practices. The cost of recovering from a data breach can be exorbitant, involving forensic investigations, legal fees, and potential compensation to affected clients. Moreover, the interruption to business operations during recovery can result in substantial financial losses and damage to the firm’s reputation. Investing in cybersecurity measures, such as firewalls, encryption, intrusion detection systems, and employee training, can mitigate the risk of cyber incidents, reducing the financial burden on solicitors and their clients.
- Professional Reputation and Client Trust
A law firm’s reputation is built on trust, integrity, and competence. A single cybersecurity incident can tarnish years of hard work and compromise the trust of existing and prospective clients. Clients expect their solicitors to protect their information and provide a secure environment for legal transactions. Demonstrating a commitment to cybersecurity enhances a firm’s reputation as a reliable and trustworthy entity. Solicitors who prioritize cybersecurity not only protect their clients’ interests but also preserve their own professional reputation, ensuring the longevity and growth of their practice.
- Ethical Responsibility and Duty of Competence
Solicitors have an ethical responsibility to maintain competence in their field. This includes staying updated on emerging cybersecurity risks and implementing appropriate safeguards. The Solicitors Regulation Authority (SRA) in the United Kingdom and similar bodies in other jurisdictions recognize the importance of cybersecurity and expect solicitors to exercise due diligence in protecting client data. Failure to meet these professional standards can result in disciplinary action and reputational damage. By being proactive in addressing cybersecurity concerns, solicitors fulfill their ethical obligations and reinforce their commitment to providing competent and secure legal services.
Steps to Take
So what should law firms be doing to reduce their vulnerability to cyber attack?
The National Cyber Security Centre advocate that all businesses can take 10 steps to improve their cybersecurity. These are:
- Risk Management
- Taking a risk-based approach to cybersecurity means thinking about what the firm does and where the potential risks might fall and then taking steps either to obviate those risks or to be able to deal with them in the most effective way possible where they cannot be excluded completely. It means ensuring that the firm has adequate policies to ensure risk management for the firm as a whole and that cybersecurity is considered in other organisational policies where appropriate.
- Engagement and Training
- People should be at the heart of the firm’s cybersecurity strategy which should take into account the way people work in practice, and which addresses security needs without getting in the way of people getting their jobs done. HOwever, all staff must be provided with the opportunity to obtain the skills and knowledge required to work securely, for example by means of awareness or training. It is vital that everyone within the firm understands the risks they face and how they should work to avoid those risks.
- Asset Management
- It is vital that firms are aware of what data and systems are used within the firm and how they support its business. This includes making sure that software and programmes are kept up-to-date, that security patches are applied where relevant and that all steps are taken to avoid those systems from being hacked – for example by simply making sure that up-to-date operating systems and web browsers are employed throughout the firm. In particular, firms should be aware of the fact that over time, systems and the use of technology can tend to grow organically, and it can be hard to maintain an understanding of all the assets within the firm and how they are being used. Incidents can occur as the result of not fully understanding an environment, whether it is an unpatched service, an exposed cloud storage account or a mis-classified document. Ensuring you know about all of these assets is a fundamental precursor to being able to understand and address the resulting risks. Understanding when your systems will no longer be supported can help you to better plan for upgrades and replacements, to help avoid running vulnerable legacy systems.
- Architecture and Configuration
- The technology and cybersecurity landscape is constantly evolving. To address this, firms need to ensure that good cybersecurity is a fundamental part of their systems and services from the outset, and that those systems and services can be maintained and updated to adapt effectively to emerging threats and risks. These means not only ensuring that technology and programmes are robust and able to withstand potential incursions, but also that internal processes are equally robust – including factors as simple as making sure that staff know about checking that accounts to which money is paid is the correct account or that the right information and documents are being sent to the client’s correct email address.
- Vulnerability Management
- The majority of cyber security incidents are the result of attackers exploiting publicly disclosed vulnerabilities to gain access to systems and networks. Attackers will, often indiscriminately, seek to exploit vulnerabilities as soon as they have been disclosed. So it is important (and essential for any systems that are exploitable from the internet) to install security updates as soon as possible to protect your organisation. Some vulnerabilities may be harder to fix, and a good vulnerability management process will help you understand which ones are most serious and need addressing first.
- Identity and Access Management
- Access to data, systems and services need to be protected. Understanding who or what needs access, and under what conditions, is just as important as knowing who needs to be kept out. You must choose appropriate methods to establish and prove the identity of users, devices, or systems, with enough confidence to make access control decisions. A good approach to identity and access management will make it hard for attackers to pretend they are legitimate, whilst keeping it as simple as possible for legitimate users to access what they need.
- Data Security
- Data needs to be protected from unauthorised access, modification, or deletion. This involves ensuring data is protected in transit, at rest, and at end of life (that is, effectively sanitising or destroying storage media after use). In many cases data will be outside your direct control, so it important to consider the protections that you can apply as well as the assurances you may need from third parties. With the rise in increasingly tailored ransomware attacks preventing organisations from accessing their systems and data stored on them, other relevant security measures should include maintaining up-to-date, isolated, offline backup copies of all important data.
- Logging and Monitoring
- Collecting logs is essential to understand how your systems are being used and is the foundation of security (or protective) monitoring. In the event of a concern or potential security incident, good logging practices will allow you to retrospectively look at what has happened and understand the impact of the incident. Security monitoring takes this further and involves the active analysis of logging information to look for signs of known attacks or unusual system behaviour, enabling organisations to detect events that could be deemed as a security incident, and respond accordingly in order to minimise the impact.
- Incident Management
- Incidents can have a huge impact on an organisation in terms of cost, productivity and reputation. However, good incident management will reduce the impact when they do happen. Being able to detect and quickly respond to incidents will help to prevent further damage, reducing the financial and operational impact. Managing the incident whilst in the media spotlight will reduce the reputational impact. Finally, applying what you’ve learned in the aftermath of an incident will mean you are better prepared for any future incidents.
- Supply Chain Security
- Most organisations rely upon suppliers to deliver products, systems, and services. An attack on your suppliers can be just as damaging to you as one that directly targets your own organisation. Supply chains are often large and complex, and effectively securing the supply chain can be hard because vulnerabilities can be inherent, introduced or exploited at any point within it. The first step is to understand your supply chain, including commodity suppliers such cloud service providers and those suppliers you hold a bespoke contract with. Exercising influence where you can, and encouraging continuous improvement, will help improve security across your supply chain.
Conclusions
Cybersecurity is not something that simply happens on its own. Steps need to be taken to ensure that it is maintained and, just as importantly, resources need to be allocated to achieve this. Whilst updating software and technology, putting in place processes, training staff, checking systems, undertaking management and planning for the future is an expense both of money and time, it is an expense which is necessary if problems in the future are to be avoided.
In an era where cyber threats are prevalent and sophisticated, solicitors must prioritise cybersecurity to protect their clients, uphold professional standards, and safeguard their own interests. The implications of a cybersecurity breach extend far beyond financial losses, impacting client trust, professional reputation, and legal compliance. By adopting robust cybersecurity measures and remaining vigilant against emerging threats, solicitors can confidently navigate the digital landscape, ensuring the confidentiality, integrity, and availability of client data while reinforcing their position as trusted legal advisers.