Cybersecurity for law firms

Cybersecurity is a critical issue for businesses including law firms. In the latest LexisNexis report, Is your Tech Smart?, mid-level law firms identified that cybersecurity was the third most urgent challenge they are facing.

Those who hold business sensitive data should take their cybersecurity seriously. New data protection requirements from 25 May 2018 when GDPR comes into force will compel an increased compliance; as all law firms hold significant amounts of personal data, robust plans to protect client data and by extension the firm’s reputation, should be in place, no matter the size of the firm.

Cybersecurity is an issue which is not going away. In 2015, 62 per cent of law firms reported a cyber-attack in 2015. By 2017, the figure had increased to the majority of law firms having reported suffering a security incident in the past 12 months, with the report going on to note that 12% of firms claim to be recipients of such attacks on a daily basis with a further 30% identifying attacks on either a weekly or monthly basis.

But how can smaller and mid-size firms keep up and keep client and firm data secure?

In an ideal world, all law firms need some form of internal technology expertise, “to plan, guide, structure and deploy the relevant technology in a proactive, rather than reactive way” says Neil Prevett, Technology Director at regional mid-size firm Gardner Leader. Neil joined in 2010 as IT Director, the sole internal IT resource, and has now built out internal expertise to a team of four.

Why is cybersecurity so important and why should firms be concerned?

“The need to focus on Cybersecurity is as important as the need to focus on their accounts system. It forms part of the big picture when it comes to providing excellent service and peace of mind to our clients. The risk of cybersecurity cannot be ignored and will not go away, so law firms need to take action to ensure they protect themselves and their clients as much as possible”, Neil told us.

“Criminals & fraudsters’ methods are getting more sophisticated and complex and so are the solutions to combat them. It is critical that we try to stay a number of steps ahead – not only to protect us, but also our clients’ data.”

Cybersecurity is just one of a number of new threats/concerns to a law firm, as well as the complex issue of moving technology forward in a firm to the benefit of staff and clients alike. Neil’s belief in robust systems and plans comes from the fundamental relationship between law firms and their clients: “We believe clients ‘assume’ that law firms will do all they can to protect their data and we take the responsibility of this ‘assumption’ very seriously.”

Retaining a commercial advantage

“The commercial advantage is probably the avoidance of bad publicity due to a breach”, Neil Prevett told us. “Like most technology projects, most work is done behind the scenes and is unseen by staff and clients. Our main role is to ensure a solid, reliable and secure system that is fit for purpose and delivers what is required.”

A data breach can take many forms but whatever the outcome even the fact that one has occured can be enough to create bad publicity and for the firm to have to publicly acknowledge the situation.

In June 2017, a global cyber-attack against DLA Piper caused both operational upset and forced the firm to issue a statement acknowledging that there was “no evidence that client data was taken or that there was a breach of confidentiality of that data. To our knowledge no interest of any client has been prejudiced as a result of this incident.”

In December 2017, London law firm Anthony Gold suffered a cyber attack in which 16,000 email contacts were sent when the firm was hacked. Emails were sent under the subject line ‘Action Required – Matter for Attention’ and asking recipients to open an ‘urgent’ attachment. The firm released a statement apologising for the inconvenience to clients and warning them not to open the attachment but the longer lasting issue to the firm is that articles still linger recording the breach.

Addressing Cybersecurity and priorities

“My ‘tip’ for any law firm that wants to move their IT systems forward is to ensure that they have a technology leader in the organisation that has law firm experience and knows how to manage and deliver such critical services.”

Neil was clear that internal resource and budget was crucial: “We have specialist managers in the areas of IT, HR, Marketing, Finance and so on, rather than these functions being an additional burden to the solicitors or Partners. Outsourcing can often ‘appear’ to be good value on paper, but unless you have people that can really understand and react quickly to the lawyer’s needs, the benefit is lost. There is no way we could provide the speed, accuracy, efficiency and response to queries raised if we outsourced.”

Other tips include:

• Understand the risks and keep a constant review of security systems and procedures to ensure that the best/most relevant protection that resources will allow are in place and up to date.
• Keep in touch with new technologies, threats and security by holding regular meetings with suppliers, attending other forums and exhibitions to keep abreast of what is happening and available in the marketplace.
• Encrypt data and ensure all employees regularly change passwords and do not leave workstations unattended without locking devices.
• Deliver internal training to make sure the risk of a breach internally is reduced: Neil told us that “you can never provide too much training – the problem is getting lawyers away from their desk long enough to take part in the training. However, we try to provide ongoing workshops on a regular basis and these are proving useful and of benefit when trying to introduce new functionality. We also use our internal systems to spread knowledge/awareness of issues such as cybersecurity and the need to be vigilant, as well as online training with regards to compliance training on Solicitors Account Rules and Money Laundering and so on”.
• Be aware of the new GDPR regulations and the issues surrounding client personal data. Compliance is therefore critical and cybersecurity forms part of that strategy.

Further guidance

For futher insights into the state of tech investment and challenges, read our latest report: Is your Tech Smart?. For more guidance and support on compliance, find out out LexisPSL Practice Compliance here.

Neil Prevett is Technology Director at Gardner Leader LLP. His experience includes 4 years with a major legal software supplier, and 8 years with a top 150 law firm before joining Gardner Leader in 2010. He was awarded Regional IT Director of the Year at the Legal Technology Awards in 2009.