Many law firms would suffer greatly from being breached due
to the extreme sensitive data they are handling on a daily basis.
Any cyber attack in this sector can be catastrophic so do lawyers
feel ready to stand against the rising tide of cybercrime?
With this in mind, Symantec, in conjunction with the law
publication Managing Partner, conducted a study into how law firms see cyber security.
2. E STAND
T CYBER
ALS
Many law firms would suffer greatly from being breached due
to the extreme sensitive data they are handling on a daily basis.
Any cyber attack in this sector can be catastrophic so do lawyers
feel ready to stand against the rising tide of cybercrime?
With this in mind, Symantec, in conjunction with the law
publication Managing Partner, conducted a study into how law firms
see cyber security. So do they feel prepared to fight cyber criminals
on their own turf?
The research questioned Partners from 81 different law firms in
the UK on the impact, risk and readiness of their firms to combat
against cyber breaches.
2
CYBER SECURITY – A TOP CONCERN IN
THE LEGAL PROFESSION
3. TAKE THE
AGAINST C
CRIMINAL
• Some 48% of respondents are actually convinced cyber security has
already had a massive impact on the legal profession and this will
only increase. This is particularly pertinent with the burgeoning use of
phishing attacks, which is one of the biggest risks to law firms.
• Conversely, 24% feel cyber security will change the legal profession
forever, where vigilance is rewarded and negligence is punished.
• The respondents did, however, feel that if firms have a strong cyber
defence in place, they’ll have a competitive advantage over their rivals.
How big a risk do you think
cyber security is to your firm?
It could materially affect the profits
and reputation of our business
It could leave clients increasingly
vulnerable to attack
There is no risk to our business; our IT
staff has it covered
8%
67%
25%
3
LAW PRACTICES
FACE CYBER RISKS
4. E THE STAN
INST CYBE
MINALS
The study also found 75% of law practices felt that their
firm had the most to lose when experiencing a data breach, while
more than 50% stated their clients could also lose sensitive data.
Client data being “the lifeblood of the legal profession”,
any breach of this confidentiality could gravely impact future business
ventures, as well as risking possible fines from regulators.
40%
30%
20%
10%
0%
They can be a risk and we need to improve our
security training (46%)
They’re our biggest risk (26%)
They’re not much of a risk, we’ve got strong staff
training in place (21%)
They’re a risk because they are not following existing and
adequate security processes (4%)
They’re no risk at all (2%)
4
INTERNAL STAFF IS
ONE OF THEM
In your law firm, who is responsible for managing cyber security?
5. KE THE S
AINST CY
MINALS
• 43% of respondents think data being mailed, faxed or
emailed to the wrong recipient in error was more likely
to increase.
• 53% felt that loss or theft of physical paperwork will
stay at the same levels.
• 39% of respondents estimate that devices passing
out of the control of the firm with unencrypted
information on them would moderately increase risk
to the business.
This is particularly true with bring your own device
policies, where data stored on those devices are leaving
the relatively safe space of the company’s network.
5
HACKERS ARE USING MORE THREATS
ELEMENTS TO ACCESS NETWORKS
6. AINST C
IMINALSThe information which law firms possess has not yet been the
subject of sustained attack, but with the increased use of remote
working and cloud technology, it is only a matter of time before law
firms become a target for its valuable data.
Third-party threats considered as the biggest by law firms
40%
30%
20%
10%
0%
Cloud technology providers (42%)
People/organisations connected
to our clients (36%)
Outsourced dictation/secretarial
services (22%)
Families of our partners using their
mobile devices (19%)
6
EXTERNAL THIRD-PARTY THREATS
ALSO HAVE A ROLE TO PLAY
7. T CYBER
ALS
Despite 59% of respondents stating this is the Head of IT who
should hold that position, the role responsible for cyber security
and mitigating risks is not clearly defined.
60%
50%
40%
30%
20%
10%
0%
In your law firm, who is responsible for managing cyber security?
The head of IT (59%)
The head of compliance (33%)
The head of risk (31%)
The partners (22%)
The executive board (21%)
The fee earners (11%)
The support staff (10%)
COO (2%)
7
THE BEST WAY TO DEAL
WITH CYBER RISK
“[Cyber security] has
to be a subject on
the agenda of the
board regularly and
thereneedsto be an
executive director
with personal
responsibility for
cyber security and
risk assurance.”
Professor Sir David Omand,
ex-Director at GCHQ
8. E STAND
CYBER
LS
99% of companies believe data protection issues can be dealt with
in-house by:
Only 1% of respondents suggesting they will seek external help, this
is worrying especially when many don’t have expert knowledge and
software to constantly be abreast of new attacks.
15%
9%
8%
6%Developing new
administrative processes
Investing in
new training
Getting the in-house compliance
function to deal with security issues
Investing in technology to improve
their systems
8
EXTERNAL THIRD-PARTY THREATS ALSO
HAVE A ROLE TO PLAY
9. KE THE S
AINST CY
MINALS
Respondents revealed “law firms generally do not have the
resources to develop in-house solutions”.
So how could they combat cyber security in the future?
In their opinion, law practices should:
• “Adopt a holistic approach across the firm supporting robust IT and
administrative defence procedures”
• Provide and improve “training and policies”
• “Ensure that the business systems are the best they can be, where
procedures are solid and abided by”
• Make “security the priority factor when selecting IT solutions”
• Define “a strong line of responsibility with the C-suite, robust policies
(that are enforced) for users within the organisation”
9
FUTURE PROOFING
CYBER SECURITY
10. T CYBER
ALS
LOOK AT
POLICIES
TRAIN
EMPLOYEES
UNDERSTAND
THE IMPLICATION
For more insights, get in touch here: https://know.elq.symantec.com/threat_protection-chapter4-EN
If the whole practice
has a grasp of what is
at stake they will be
more vigilant in the
protection of their
processes and systems.
Look at compliance
policies within the
organisation and make
amends where there are
gaps. Ensure that the
head of the department
takes responsibility
for assessing the risks
and devising, and
implementing policies
that would stem the rise
in risks.
If the employees know
how to take care of
their own information
they will carry that
over to their company
processes. Employ
independent experts
to train employees on
best practices and audit
those practices on a
regular basis to stay up
to date with the latest
security guidelines from
the sector.
10
THREE TIPS TO STAY AHEAD
OF CYBER THREATS