Exploring Cybersecurity in the Legal Sector
This article first featured in the security special edition of Briefing magazine.
Law firms today are becoming increasingly knowledgeable about the range of cybersecurity attack they could expect to see targeting their systems. The area of management that they most need to improve is addressing their risk profile and exposure proactively. Proper incident response to mitigate the impact of an attack continues to be business-critical – but certain actions can also reduce the likelihood of a successful attempt in the first place.
In fact, businesses need to be as assiduous as those behind the growing threats they face. Cybercriminals in 2019 are doing due diligence of their own: more detailed research on the vulnerabilities of both software and the people in organisations who use it – practising and honing their skills to increase their own chances of success and ensure they’re only spotted late in the attack.
Finding the resources to meet that sizable effort can present a challenge. Large global organisations like top law firms will have strong, hard-working IT teams, but even then, running a 24/7 information security monitoring operation may present a significant burden. Instead, it may make more sense to partner with an outsourced specialist in threat management, highly trained to track emerging types of attack and their modus operandi, as well as the best ways to see them off.
It’s unsurprising that only a minority of firms have so far recruited or appointed a chief information security officer. The remit for this role is wide – encompassing networking, process, remediation and event management. And there’s a market shortage of the skillset needed to take that on, even before considering whether the workload is manageable.
However, another problem when it comes to making strategic investment may be one of mindset. There’s a tendency for people to think terrible events simply won’t happen to them – so, the reasoning goes, why pay for the most expensive insurance policy? Of course, they could end up paying out more to recover once hit – not to mention the impact on a carefully guarded reputation that could cost a few profitable clients.
Those same clients’ levels of interest in firms’ security decision-making and practices is a trend that’s only going in one direction. Requests for proposal now often include specific questions about information security preparedness, and companies will potentially conduct their own audits before awarding work. Some clients even want to know about the processes in place at firms’ supplier partners. Of course, if firms are well prepared, they should arguably be prepared to pass that information on with confidence.
It also appears that some firms don’t appreciate that their sensitive documents and data are as attractive to criminals as large sums of money that might be available in other infrastructures. Cybercriminals will pursue whatever generates money, and one of the biggest things in that category is data. Ransomware, for example, has the potential to threaten individuals and organisations with repercussions for their data if they refuse to pay. Data can also be used to go after clients’ money more effectively.
The bottom line here is that complacency and/or denial is likely to cost more than investment in a cybersecurity strategy – and the factor that places firms at most risk. However, both sensitive documents and data are also at greater risk with the rise in remote working patterns. More devices means more possible points of entry, and of course these can be left on a bench or train. Firms must invest in technology to protect files, but people also need the training in behaviours, policies – and yes, the technology – to prevent them from becoming a significant part of the problem (never mind helping with the solution).
Fortunately, some categories of technology are also coming forward to help with these very human security challenges. Machine learning or automation software, for example, may be in a position to support aspects of education. Tools might issue the timeliest reminders or prompts to take (or not take) specific actions, and use past and present data to better predict the shapes and times of future attacks.
However, isolated implementations of security technology and one-time employee training sessions are not enough. The risk landscape is changing rapidly, meaning today’s technology update or top lesson may no longer even be relevant in a few months’ time as the attackers start on a new route. Rather, firms must adopt a security-first mentality and create a culture of security, where personal responsibility, awareness of consequences, strong communication skills and the regular knowledge updates are standard.
Finally, culture needs consistent work itself, even at the best of times. The top tier of business leadership should be visibly backing the communication and reiteration of security messages – leading by example, and sharing knowledge regularly for it to filter through to the defensive ‘front line’ effectively. And whether the board is investing in a CISO any time soon, or seeking the support of a close specialist partner, an information security culture – as with much of management – benefits from having a recognisable human face.