Threats to cybersecurity are a concern for every industry and business. However, the legal sector remains an especially attractive target due to the wealth of sensitive information held by law firms.
Patent data, merger and acquisition information, negotiation information, and protected witness information are just some examples of sensitive commercial data and intellectual property that are highly desirable to cybercriminals, hacktivists, and state-sponsored parties.
It is easy to see why legal firms are rich with opportunity for these groups.
When it comes to a breach of cybersecurity, the financial loss is rarely the most detrimental issue for businesses. Since trust is integral to the operation of the legal sector, a successful cyber-attack has the potential to cause long-term reputational damage, with severe implications for the future of that firm.
Legal Week’s Benchmark study, entitled ‘Locked Down?’, in association with Stroz Friedberg, highlights some of the issues that make the legal sector more vulnerable to cyber-attacks than other industries:
- Non-lawyers are far more likely (52%) than law firms (35%) to have a response plan in place for cyber-attacks.
- Respondents from the legal sector are less likely (35%) to include external cyber security experts than non-lawyers (53%) in their attack contingency planning.
- Less than a third (31%) of people working in law firms believe that their top management fully understands the issues around cybersecurity, compared to 36% outside the law.
- Law firms fall behind the rest of the commercial world in terms of estimating the costs of a cyber-attack. Only 9% have worked out potential costs, compared to 26% in businesses outside the legal sector.
Seth Berman, executive managing director of Stroz Friedberg, believes that law firms must pay more attention to cyber security:
“We know law firms are being targeted … hackers seeking commercial secrets are known to regard law firms as a weak link in the information chain. The very nature of law firms makes them an active target.”
In the past, it has too often been the case that responsibility for ensuring cyber security has sat solely with the IT team. While technology is a key factor in ensuring ongoing protection, it is crucial that all businesses, including law firms, are now recognising the important role to be played by employees, processes, and organisational culture in protecting against cyber threats. When security is a shared responsibility across an organisation and staff are empowered with knowledge, the ability to avoid a breach, and detect a compromise more quickly, is increased.
According to the latest ISO Survey, there was a 17.6% growth in the number of ISO 27001 certificates in the UK last year. This certification is an internationally recognised cyber secure status and is reassuring for potential and current clients. Many leading law firms, including Allen & Overy, Bond Pearce, and Clifford Chance, have already achieved certification to the Standard as a means of proving their commitment to securing their clients’ data.
Rather than being an inconvenience, or a significant cost that will not provide a return on investment, information security and protection of client data is increasingly seen as a key differentiator. In a world where contracts are won and lost based on very small margins, each differentiator counts.
The threat to the cyber landscape is ever changing. Having fallen behind other industries, law firms will need to give cyber security their full attention in order to protect their clients and their own interests, while attracting new business along the way.