Small but Confident Steps on the journey into Cyber Security for Solo legal practitioners
The legal sector – an attractive target.
The National Cyber Security Centre has identified that the legal sector is a top target for cyber criminals, it is not difficult to see why. Law practices hold large amounts of sensitive and confidential client information, they handle large amounts of clients’ money, and they are key enablers in business and commercial transactions.
Like most modern business, more and more of legal services are being offered digitally and, coupled with the current climate of remote working, zoom meetings, webinars and using personal devices for work, the opportunities and avenues for cyber-crime have never been greater.
Phishing is the most common cyberattack affecting the vast majority of sectors and law firms are no exception. This is so prevalent in areas of practice such as conveyancing that it has even got itself a nickname, ‘Friday afternoon fraud’. While Friday afternoon fraud refers to both email and telephone scams, they got the name because they usually occur on a Friday afternoon when staff are at their least attentive. A successful phishing attack that results in someone “clicking the link” can result in Ransomware infecting all connecting IT systems and may also include the cyber criminal accessing or taking your sensitive data.
A good reputation is paramount for a legal practitioner and the loss of client information can have a devastating impact on a business that has confidentiality at the heart of its identity. There does seem to be a strong awareness in the legal sector that law firms are high risk targets for a cyber breach and have a lot to lose, yet many practices are not taking sufficient steps towards protecting themselves. What is this gap?
Cyber Security is a management issue
The majority of law firms are micro, small or medium sized enterprises (SMEs) and, while some do outsource their IT and hope that it also includes their cyber security, many manage it themselves without a good understanding of the basic security controls.
A typical lawyer will spend their long training and most of their career learning about law, perhaps only starting to manage more than their own cases when they are put in charge of a team or a department. Managing a practice is often learnt on the job, and in addition to practicing law, involves accounting, marketing, health and safety and now, cyber security.
Busy putting out fires
On any given week, the average law firm is being challenged by a constant flow of anti-money laundering regulations, new solicitor’s handbooks, the ever-changing legislation in every area of law and trying to keep on top of the practicalities of implementing all those changes. For example, last year, due to social distancing measures, the videoing of witnessing a will is now acceptable and electronic signatures on a deed are also now acceptable for the purpose of the land registry. Rapidly adapting technology platforms to accept these new rules means that just keeping everything up and running to earn money is always more urgent and always more important than planning to mitigate the threat of a cyber attack.
In many of the NCSC meetings and conferences about the legal sector, SSPG members have been the biggest group attending. One reason for that is Sole Practitioners are much more vulnerable to criminal, civil and professional cases against them if there is any breach in Cyber Security. If you are working on your own, even if you have a limited company status, you are going to be in the hot seat if there is a breach of data protection.
What should your Law firm be doing?
In her Cyber Security 2020 Update presentation for The Law Society, Jennifer Williams sets out some simple guidelines for Legal firms.
- Certify the basics, gain Cyber Essentials.
- Check-out your IT team or provider to ensure they have an understanding of Cyber Security and are embedding it in your systems.
- Implement DMARC – Domain Based Reporting and Conformance is an email validation system designed to protect your company’s email domain from being used for email spoofing, phishing, scans and other cyber-crimes.
- Much of your cyber security posture is publicly searchable. Find out what criminals can see about your firm.
- Train your staff to be aware of the ever changing and increasingly convincing phishing scams.
- Test your response plans (how would your firm cope if attacked).
- Encrypt sensitive emails.
As a sole practitioner, it is down to you to get your house in order. The price for not doing so could be extremely high. Cyber Essentials is designed as a simple but effective government approved scheme based around the most important, basic cyber security controls. It embodies a strategy by the National Cyber Security Centre to help businesses of all sizes in the UK protect themselves from the growing threat of cyber crime.
The scheme is focused around just five core controls which have been proven to protect organisations from 80% of common cyber threats. Many small business owners say that working towards the certification acts as a useful checklist to ensure they have not overlooked anything, and describe the process as highly educational.
As a sole practitioner, you may find cyber security overwhelming and complicated and not know where to start. You are not alone. To help join the dots for beginners so they can access the Cyber Essentials scheme, IASME, the National Cyber Security Centre’s Cyber Essentials Partner, has created a free online advice tool to help small businesses get started.
Launching at the end of February this year, the Pre-Cyber Essentials Journey will be accessible on the IASME website. By answering some simple questions, you will receive targeted advice about what controls you still need to implement. You will be directed towards the appropriate guidance based on your answers to the questions. Upon completion, you will be able to download an action list and a description of what additional requirements or steps there are still to achieve.
Although reaching the level of Cyber Essentials is the end goal, it may be that there are many steps along the way that need to come first. Small spoonfuls of information about Cyber Security will be available allowing you to learn at your own pace. Every time you put an additional control in place, however small, your practice is more secure.