Data breaches and hacker stories have made most organisations aware of their IT vulnerabilities, leading many to implement strict controls related to data privacy.
Despite receiving less media attention, law firms’ data intrusion is a growing threat. While it’s a known fact that the implementation of a cyber defence strategy protects consumer data and sensitive case files, a few law firms still struggle to incorporate cybersecurity and risk as per John Duckett of InPlaceSolutions.
- IBM’s Cost of a Data Breach Report, identified that in 2020, the average business cost of a cyberattack was $3.86 million and it takes over 200 days to detect the breach
- Herb Stapleton, FBI Cyber Division Section Chief while talking to Hillarie McClure on the Cybercrime Radio podcast, mentioned that post-pandemic, there was a 3x spike in the complaints received by the FBI’s Internet Crime Complaint Center (IC3.gov). He also added that, before March (2020), the IC3 was receiving around 1,000 complaints per month and now that figure is up to nearly 3,000.
- According to the 2021 Australian Cybersecurity Risk Report, a report from Varonis Systems, Inc., “Almost two thirds (63%) of respondents reported it is very likely or likely that their organisation would be the target of a cyber-attack/threat in the next 12 months.”
Recent cyber attacks
- November 22, 2021: Australia's Copyright Agency investigates cyber incident
- November 12, 2021: Conveyancing giant told to improve communication after cyber-attack
- July 19, 2021: Campbell Conroy & O’Neil Provides Notice of Data Privacy Incident
- January 25, 2021: Australian Law Firm Allens Caught Up in Cyberattack
- January 25, 2021: ASIC says it was hit by cyber attack
The protection against cyberattacks: Need for incident response plan (IR plan)
The legal industry often finds itself at crossroads while adopting technology, many organisations still use outdated IT systems. The adoption of cyber security policies including IR plan, irrespective of reliance on online services and technology, has been sluggish.
In September 2020, the Solicitors Regulation Authority (SRA), the regulatory body for solicitors in England and Wales responsible for regulating the professional conduct of solicitors published a report. The SRA selected and interviewed a sample of 40 firms on Cyber Threats and Security related issues. Some of the vulnerabilities identified by SRA included:
- 73% of firms (29) had reported incidents to SRA
- Seven significant incidents were not reported, despite clear and significant breaches
- Reports were not routinely made when clients were affected but the firm had not been directly involved, for example, where clients were tricked into sending money to a third party
- More than half of firms allowed external data sticks to be freely used and plugged into their machines
- Two firms used an old Windows operating system for which security updates had ceased in 2014, while 16 were using a system for which Windows support was due to end imminently
- 11 firms had inadequate policies in place, and 10 had inadequate controls
- Eight firms (20%) had never provided specific cybersecurity training to their staff
- More than half of the firms do not keep records of who had received such training
In the report, SRA stated, “For firms, having knowledgeable and empowered staff is the first line of defence against cybercrime. Creating such a culture relies upon having effective policies and controls in place”.
Implementing an IR plan
IR plan provides an incident reaction strategy in an event of a serious security breach, a process to mitigate the risks involved. Law firms may either deploy dedicated IT security personnel (members of the IT staff who collect, preserve, and analyse incident-related data) or train the existing personnel to form an incident recovery team.
Lawyers and IT personnel need to work in collaboration making sure legal compliances are met. Additionally, geographic-specific regulatory bodies may be contacted for any cyber incident-related process.
Strategies to implement an effective IR plan should include the following:
Identify: The first step of any strategy is to recognize the key players.
- Identify and prioritise information assets
- Prepare a list of stakeholders and employees
- Recognise potential risks and their value
Define baseline for normal business activities so that triggers can be noticed.
Prepare: A part of the response plan is to communicate with relevant stakeholders about the incident and steps taken to ensure the loss is minimised
- Segregation of employee duties and responsibilities
- Prepare a notification and communication process
- Outline defence approach
- Establish necessary procedures
- Formulate a training plan
- Define recovery point and objective
Ascertain budget to deal with unwanted costs.Defence: Important matters require a thoughtful strategy, rather than a hasty decision. Hackers often exploit the defence flaws so it’s important to:
- Deploy detection tool sets like intrusion detection system (IDS), and data loss prevention (DLP), audits, and frequency of audits
- Identifying and fixing flaws in hardware, firewalls
- Deliver training to staff
- Action plan deployment
- Analyse what happened, how it was handled to aid future actions
- Collect and analyse network data
- Confirm data recovery procedures
- Communicate with internal and external stakeholders
- Validate cybersecurity and IT training standards
Start with training
The first line of defence against cyber threats is to create awareness. Training personnel on safe cyber practices, identifying the triggers, mitigating risks, and apprising stakeholders, are a few steps that an organisation can take.
Law firms that have adequate policies and processes to deal with cybercrime and the dangers that come with it will have solid foundations for reducing their exposure to cybercrime and the hazards that come with it. Having an IR plan should be on the ‘must have’ list to deal with cyber-threat.
Disclaimer: The views and opinions expressed in this article do not necessarily reflect the official policy or position of Novum Learning or Legal Practice Intelligence (LPI). While every attempt has been made to ensure that the information in this article has been obtained from reliable sources, neither Novum Learning or LPI nor the author is responsible for any errors or omissions, or for the results obtained from the use of this information, as the content published here is for information purposes only. The article does not constitute a comprehensive or complete statement of the matters discussed or the law relating thereto, and does not constitute professional and/or financial advice.