Tackling the technology threat
What are the main categories of risk facing law firms, and what can they do to minimise their vulnerability, asks Struan Todd
Use of technology and the importance of cyber security continue to be topics at the forefront of risk management discussion for law firms in the UK. While most law firms are aware of the key issues involved with ensuring their own systems are efficient and protected, changing legislative requirements and ever-evolving threats can be overwhelming.
There are a number of hazards that law firms must contend with in this space, but with a variety of methods that can be implemented, many firms are uncertain of what the best practice for their business is.
That being said, there are a number of ways to classify the range of technology-focused threats that a firm faces. We have aimed to split these into two main categories.
General IT threats
This classification refers to risks that accompany the use of technology and are unavoidable. Such exposures include: failure of hardware or software, malware, ransomware, viruses, phishing and spam, and human error. Many companies have fallen foul of these threats, with notable recent examples being British Airways’ global IT system failure, which caused substantial interruption to its services in late May, and the worldwide ransomware cryptoworm attack that affected more than 230,000 Microsoft Windows operating system computers in over 150 countries from 12 May.
Criminal IT threats
Denial of service attacks, hacking activities, password theft, fraud, and staff dishonesty are more commonly considered to be criminal IT threats. These are targeted assaults which are aimed at specific entities. Many law firms do not consider themselves to be worthy of targeting, but instances of M&A law firms in the US having been breached are abundant.
Furthermore, law firms are extremely vulnerable to fraud and staff dishonesty given the significant sums of money held in their accounts, the volume of transactions, and, in most cases, the variety of individuals and entities that they deal with.
Although these two sets of dangers are not exhaustive, and do not include aspects of risk such as natural disasters, these are the risks that law firms must be prepared to deal with. Without targeted pre-emptive and proactive planning, these threats are capable of causing loss of data and substantial financial cost.
As there are two main categories of threats, there are two distinguishable elements of minimising vulnerability: IT system security and the human component.
IT system security
There are a variety of tips that can be given to ensure that a firm’s IT systems are as secure as possible. These comprise:
Ensure all systems have the latest security updates and patches applied;
Confirm that data backups are recent and reliable;
Manage email content filters, network share permissions, and use of privileged accounts;
Block the use of USB drives and guarantee that any portable devices utilise encryption or password protection; and
Limit write access and clear any unnecessary applications to avoid ease of exploitation.
The human component
It is difficult to determine whether a staff member is likely to defraud a law firm. However, there are methods which can be implemented to minimise a firm’s exposure to the unanticipated actions of their staff. These include, but are not limited to:
Educate staff on what they should be aware of when opening emails or corresponding with clients, including recognition of social engineering attacks;
Monitor the activity of employees on work computer systems to prevent removal of files and to determine whether any untoward activity has taken place;
Maintain company policies and discuss these regularly with staff members;
Encourage employees to ‘whistleblow’ and notify the firm of any incident as soon as possible; and
Regularly test employees and invite them to share their views on best practice.
Inevitably, despite all efforts to avoid or overcome the threats posed by the use of technology, there will be issues. To assist law firms in these circumstances, members of the global insurance market have provided a variety of cyber insurance solutions, which can include offering the following in the event of a breach:
Forensic expenses, specialist legal expenses, and public relations expenses;
Notification and credit monitoring costs;
Network business interruption costs;
Cyber extortion or ransomware and data restoration expenses; and
Liabilities to staff and third parties, as well as regulatory defence, awards, fines, and penalties (where insurable by law).
Struan Todd is international PI and cyber account executive at Howden UK Group