Jean-Yves Gilg

Editor, Solicitors Journal

Protecting clients' data is your number one priority

Protecting clients' data is your number one priority


Law firms' lax cybersecurity policies are making the legal industry an easy target, therefore putting clients' data at risk, argues Bruce Jubb

The 11 million documents stolen from Mossack Fonseca could be the largest leak of data ever and,
as such, puts into a cyber-attack league of its own. But, regrettably, it will not be the last time a law firm is on the receiving end of a cyber-
attack and, if it serves as a wake-up call that makes solicitors review their firm's cybersecurity systems, then some good will still come
from it - because law firms
are rapidly forming the new front-line in the war against cybercriminals.

This, however, is not because as an industry law firms' defences are stronger than,
say, in the accountancy and banking sectors - quite the opposite, in fact. It is more
likely that solicitors are being targeted because their defences are perceived as being weaker compared to other industries and because the value of
the information they hold on behalf of their clients is so high.

In addition, other cyber-attacks that have recently hit the headlines indicate that because many in the legal industry are still not doing enough to protect their clients' data, the industry is being singled out.

Take, for example, the conveyancing sector, which continues to be targeted by transactional fraud. QBE Insurance Limited reported it had witnessed 150 successful cases - and ten times as many failed attempts - of Friday fraud, when many housing deals complete, which amounted
to £85m in stolen monies
from firms.

Elina Lusted, a claims manager for QBE, partly attributes the attacks of the
past two years, which have spiked recently, to lacklustre
IT systems: 'High-street conveyancing firms are not necessarily going to have the latest data security systems.'

A matter of trust

Our experience suggests
that a lot of organisations' cybersecurity processes are based largely on trust: trust that staff will use sufficiently strong passwords and will regularly change them; trust that staff will not write down these passwords and pin them on post-it notes around their workstations; and trust that staff will not access their old work accounts when they leave the company or give their details to a work colleague while they are on holiday.

Unfortunately, because
we are dealing with a human element, trust can quite often be abused or not act as a sufficient deterrent. According to research carried out by IBM, 55 per cent of all cybercrime
is committed by insiders: the very few staff, former staff,
and contractors that do have criminal intentions take advantage of the lax procedures adopted by their more honest colleagues, such as the ones listed above. The other processes and procedures that can weaken a firm's defences are no less, well, parochial. Sharing system administrators' user rights is a shortcut adopted
by many, but it could well be
a shortcut to disaster.

Means, motive, opportunity

My company carried out
some research last year that highlighted how poor quality cyber protection processes
and procedures are largely to
blame. Some 50 per cent of the respondents who took part in
our survey felt that it would be either 'difficult' or 'very difficult'
to identify whether any ex-employees still had access via accounts to resources on their network. The same percentage thought the same about ex-
third-party providers accessing their network and an even bigger proportion, 55 per cent, thought the same about ex-contractors accessing their networks.

This is highly significant. For an internal cybercrime to take place, the criminal must have three things: the means, the motive, and the opportunity. Allowing ex-employees unfettered access to their former employer's network automatically gives them two of those things (the means and the opportunity), increasing the chances of a cyber-attack happening.

The legal profession quite rightly attaches a great deal of importance to trust - and to protecting client confidentiality. But, maintaining cyber defences based largely around trust
will no longer be sufficient
to keep the bad guys out.
The legal industry must raise
its game or risk losing the very thing it holds most dear: its clients' data.

Bruce Jubb is the UK country manager for Wallix @wallixcom