CTS recently hosted a roundtable event which was attended by C-level representatives from the UK’s leading law firms. The aim of the event was to understand how they’ve formulated their cyber threat management strategy and how they see it developing as the threat landscape changes.
The first point to note is that everyone recognised that security is now the number one risk to law firms, with the very sophisticated criminal fraternity hacking into businesses through various, often amazingly creative ways. However, whilst an incident could drive a firm’s Board to invest, there is still a certain degree of complacency that ‘it won’t happen to us’. Feedback from those outside of IT within a firm is that often people are too busy to check anything fully, don’t always pay 100% attention and that security isn’t important enough. It’s therefore fundamentally still seen as an IT problem as opposed to a business-wide problem. Consequently, a change in firm culture is required – this is the key to progression with security, but driving this change can be difficult, and has to come from the top.
Despite the obstacles that can be encountered within a firm, Board members are of course highly aware that their reputation is always at risk, particularly with security. If an incident or a threat occurred and the ICO decided a firm acted responsibly and were not to blame, then reputation overall is not affected. If, on the other hand, the ICO claimed the firm didn’t act dutifully and could have prevented the incident, there absolutely would be a threat to the firm’s reputation.
Securing funding and budget for security is not necessarily the issue being encountered – certain clients e.g. insurance clients, are driven by security and demand that a law firm are able to comply with their requirements. If they can’t, they simply don’t get given the work. The more pressing issue seems to be getting partners, lawyers and staff to comply with the security measures that do get implemented.
There’s an overlap of current security solutions and managing the interaction is important. The opposite, an underlap, would be more damaging and impactful. Salaries of staff in security are on the rise as demand outstrips supply. The risk is hiring someone very expensive who then gets poached and you’re back to square one.
So, how do law firms overcome this? The obvious solution is to use a security as a service solution, which is benchmarked and reports on changes in behaviour patterns, instead of doing it yourself; outsourcing is the only option that makes sense. Doing so enables law firms to introduce a number of tools that they may never have previously thought about and allows them to rely on the specialists.
Spend on security has increased 6-7 fold over the last 2-3 years to manage the number and sophistication of threats. The recommendation is to have an IT budget which incorporates security as opposed to a separate security budget. IT Directors are seeking the ultimate in security and are willing to invest heavily in it, including outsourcing and training to minimise and manage efficiently the number of threats. Things cannot be stopped but they can be guarded against.
It’s almost impossible to predict the future, other than the fact it’s going to get a lot more complicated, and cyber threats will come from many sources; we cannot imagine some of the risks that will exist in the next 5 years.
Law firms need security on every aspect of their business to be heightened and to have an outsourced security service to monitor activity patterns and detect changes in behaviours, acting on them instantly. They also need to educate people on how simple it is for their firm, and them as individuals, to be hacked. This will cause reputational damage, along with emotional and financial distress.
Interested to learn more? Our whitepaper on Managed Detection and Response outlines how firms can achieve advanced threat protection without huge upfront investment. Click the button below to download.