Operating with a security-conscious workforce requires constant nurturing and commitment. Dan Schiappa, CPO at Arctic Wolf, discusses the areas in which the legal industry needs to prioritise resourcing to operate with a reliable security infrastructure.
Hit the gavel. It’s time to talk about cybersecurity in the legal industry. The UK Government’s National Cyber Security Centre (NCSC) recently published a Cyber Threat Report analysing vulnerabilities in the nation’s legal sector. It explored some sobering truths. Almost three-quarters of the UK’s top-100 law firms have been destabilised by a cyber incident. Small firms are also increasingly juicy targets, especially those with particularly juvenile security systems.
These findings aren’t just eye-opening for the UK. They’re applicable globally. A tailored approach to cybersecurity is fundamental to the legal industry as a whole. Law firms hold sensitive client information making them a prize target for criminals. From simple financial information all the way to legal contracts and statements. Legal professionals need clear guidance on how to defend their gleaming treasure troves of data.
Firms must acknowledge that for cybercriminals no target is too small and no data too insignificant. By nature, the legal industry is rich with sensitive information. As firms revise their cybersecurity posture, here are four areas in which to prioritise resourcing.
Achieving higher ethical standards with purposeful compliance
Cybersecurity can feel like a constant plate spinning exercise. From keeping tabs on the myriad of attacker profiles, to investing in the right legal tech, to hiring and maintaining top talent. However, it’s compliance and ethical considerations that often trips up even the most sophisticated security teams.
Firms have to navigate a never-ending maze of regulations and compliance frameworks, particularly those who deal across borders and industries. Compliance takes up precious time and energy from teams that need time to focus on practical security, including spotting threats. Particularly as high-risk threats such as nation state attacks grow in frequency and sophistication.
However, compliance cannot be overlooked. As legal firms act as the guardians of ethical business practice, the industry is under a harsh spotlight, expected to set the standard for data protection and regulatory best practice. As reputation and trust are the foundation that client relationships are built on, ensuring teams have the resourcing required to closely monitor the attack landscape is essential.
It is therefore vital to implement a stringent documented framework of regulatory policies and procedures guided by client-specific data protection goals that can adapt to the developments in industry best practice. From this flexible framework, it is then much easier to identify the gaps in your security posture as risk can be assessed continuously across the client roster regardless of markets and geography.
Battling virtual borders
Within the current geopolitical climate, nation state attacks are a real and pressing threat. State-backed malware and hacktivism are on the rise creating a dangerous environment for firms who have to contend with attackers with greater resources than their in-house security teams.
Unfortunately, legal firms are an attractive target due to their arsenal of sensitive data and connections to other valuable businesses. For example, organisations that offer consultancy to critical national infrastructure can hold sensitive information on how their clients operate or offer a gateway into their systems. As such, they are useful steppingstones for state-backed bad actors looking to steal intellectual property and cause disruption.
Nation states are the biggest and boldest adversaries to take on. Firms daunted by the prospect are best served by first focusing their cybersecurity strategies on managed detection and response (MDR). The most effective MDR plans are 24/7, prioritising speed, clarity and visibility. As soon as a threat is detected, everyone within the organisation knows what their role is and how to contain the threat.
Being selective and competent with new tech
Law firms and the public sector are increasingly adopting cutting-edge technologies to improve efficiency in the sector. However, whether it’s a productivity tool or a legal database engine, any technology poorly onboarded and managed within the firm can be a potential gateway for a bad actor to enter the network.
Managing this threat relies on a clear onboarding process and visibility of the entire network. Maintaining this internal transparency will also help mitigate the impact of insider threats, in which cyber-naive employees, for example, accidentally click on a suspicious email link releasing malware into the organisation’s network.
While firms should never be discouraged from investing in worthwhile new technology, the key is being selective in what really has the potential to have a transformative effect on operations and outcomes throughout the business. Keep in mind that if your firm doesn’t know what’s running on the network, or doesn’t truly understand how a new technology works, then criminals can exploit it to gain access to your data. Every integration needs to be handled with the upmost care.
What it really means to be security-conscious
Finally, good cyber hygiene relies on reinforcing defences with protocols and people. Firms should operate on the mantra that a cyber incident is a matter of when not if. Investing in time to plan a response strategy is just as important as investing in the right talent and the right solutions for your business. Nurturing a security-conscious workforce is not just about training staff on how to spot phishing attacks. It’s about ingraining cybersecurity as business-critical just like keeping the lights on, the Wi-Fi strong and the coffee pouring.