Law firms are in a unique—and perhaps precarious—position when it comes to cyber security. They not only have to protect their own electronically stored information, but they have a responsibility to protect the information of their clients as well. Are law firms doing enough? According to a recent survey of UK law firms, while 68 percent of law firm employees think firms are a likely target, only 35 percent have a response plan in place for an attack.
“Locked down? A Closer Look at the Rise of Cyber Crime and the Impact on Law Firms” was produced by Legal Week in association with digital security firm Stroz Friedberg. Views of more than 370 senior business people were collected for the report, almost half of which worked in the legal profession.
“The failure of UK law firms to tackle online security is leaving clients increasingly vulnerable to attacks,” Seth Berman, executive managing director of Stroz Friedberg, said in the report. “As custodians of clients’ intellectual property and commercially sensitive information, law firms are particularly attractive to hackers.”
In fact, the potential loss of client data was the top concern cited by respondents (32 percent). And while 36 percent of law firm respondents think their systems can withstand an attack, only 9 percent have created an estimate of how much such an attack would cost, compared to 26 percent of those in other businesses.
Law firm employees also lack confidence in top management’s understanding of cyber security issues. While 86 percent see cyber security as an issue for the senior executives, only 31 percent of law firm personnel think their top management fully understands the threat. However, 62 percent think their business partners take the threat seriously.
Lawyers are also not a very trusting bunch. In the face of a security breach, those in the legal sector are two times more likely to suspect their own employees than are those in other professions (13 percent vs. 7 percent). And law firm respondents are also are much less likely (35 percent) to include outside cyber security experts in any contingency planning than are nonlawyers (53 percent).
Berman recently spoke with John Malpas, Legal Week’s publisher, about several of these issues and case studies. He noted that while many may think they’re powerless in the face of cyber attacks, they are not. Law firms need to be particularly concerned about so-called “spear phishing,”in which hackers use detailed information that’s readily available on law firms’ own websites to craft targeted emails with virus-containing attachments.
He says that there are three ways that law firms can minimize their risk, they are:
- Conduct an annual IT security audit, ideally using an outside vendor.
- Educate your employees, including use of fake spear phishing emails to train them in what to look for and how to proceed if they get a suspicious email.
- Prepare for what happens if there is an attack, including who is in charge and the response.