Current Challenges and Opportunities in the Legal Sector

Current Challenges and Opportunities in the Legal Sector: Insights from our legal roundtable

Throughout the year, QuoStar holds roundtable events for the legal sector, where a small group of attendees can get together over a three-course meal to share industry insight and best practice. At the end of April, we held our first event of 2024, with QuoStar CEO, Rob Rutherford joining myself and several Partners, Managing Partners, and Heads of IT from south coast law firms.

It was a fascinating evening of discussion, with a focus on how best law firms can mitigate mounting cybersecurity risk, drive operational efficiency and use tech innovation to gain an advantage.

Law firms in the crosshairs

Cyber risk is fundamentally a strategic business risk today – and one that impacts all legal sector organisations, no matter what their size. Attendees around the table agreed that their company is very much in the crosshairs of threat actors – whether they’re financially motivated cyber-criminals, state-sponsored hackers or even disgruntled current or former employees. Automated tools mean these bad actors can continuously probe for vulnerabilities in public-facing IT infrastructure without breaking sweat.

Their efforts are hitting home. Current data is hard to come by, but the Solicitors Regulation Authority claims that 18 law firms in the UK were hit by ransomware in 2021. Three-quarters (73%) of the firms it visited for a cybersecurity review a year earlier reported cyber-related incidents. Separate data from the Information Commissioner’s Office (ICO) analysed by insurer Chaucer reveals that the number of legal sector data breaches reported to the regulator increased 36% annually to reach 226 in 2022/23.

There are many reasons why law firms are a popular target for attack. They hold sensitive client information, handle large volumes of funds and play a key role in business transactions. The National Cyber Security Centre (NCSC) warns that firms acting for organisations that engage in “controversial” work such as life sciences or energy may also be targeted by hacktivists. The top threats to the sector are phishing, data breaches, ransomware and supply chain compromise, it says.

Time for multi-layered cyber-defence

As digital investment grows in the sector, so does the cyber-attack surface. All attendees recognised the challenge – agreeing that everyone in an organisation needs to play a part in keeping their firm safe. From a strategic perspective we recommend the following:

  • Deploy robust security controls and best practices such as advanced firewalls, multi-factor authentication (MFA), complex passwords, mobile device management, and vulnerability management.
  • Don’t ignore the human factor. Ongoing staff awareness raising and education is key to mitigating the risk of phishing, which is often the starting point for breaches
  • Put an incident response plan in place today, to enhance business resilience and minimise the impact of a security breach if one occurs. Data cited by the Law Society claims only 35% of law firms have one in place. It’s also important to test this, such as what happens if the firm is affected by Ransomware.
  • Consider obtaining a cyber accreditation such as Cyber Essentials Plus and ISO27001. This won’t stop attacks occurring, but will ensure the organisation is better placed to respond efficiently, mitigate the impact, whilst also reassuring clients. QuoStar can help by undertaking an independent audit to identify any gaps in current security posture, risk management, governance and compliance.

Risk extends to third parties

Law firms increasingly outsource parts of their IT function to third-party suppliers – whether they’re a provider of cloud services (CSP), SaaS applications or managed services (MSP). But these entities in turn can be a target for attack – making it essential that they maintain the same high level of cybersecurity as their client organisations. It is no defence to say that a third party was responsible for a breach. The regulator will generally hold both parties responsible. Nor is this a theoretical risk. A UK-based MSP was hacked last year via an exploited vulnerability and the resulting breach impacted dozens of its legal sector customers for over a month.

Attendees around the table argued that it’s not good enough to assume that larger suppliers are inherently to be trusted. Given what’s at stake, it’s vital to conduct thorough due diligence, and undertake a security audit of any prospective supplier, which QuoStar can help with. Those accredited with Cyber Essentials Plus, ISO 27001 or other standards/frameworks are a good place to start.

Gaining an advantage through AI

Finally, no roundtable discussion on technology would be complete without a conversation about the role AI could play in driving advantage. The IT and business leaders we spoke to are rightly sceptical about many of the claims currently being made by vendors about their products – especially legacy tech vendors they see as jumping on the AI bandwagon.

Most of those around the table understood AI to mean generative AI (GenAI) tools like ChatGPT and Copilot. But in fact, there’s much more to the technology than this. Law firms could utilise:

  • Pure AI, using core algorithms to develop their own AI solutions. One example we heard was a law firm using AI to predict the outcome of litigation cases
  • GenAI: AI that can produce and summarise content including text, video and images
  • Packaged AI: suppliers that have built AI features into their technology and deliver these to law firms, eg many suppliers now embed machine learning into their applications

Attendees were unanimous in agreeing that AI will play a major part in the practice of law in the future. But they also argued that headlines claiming it will replace large number of lawyers and fundamentally change the way the sector operates have been significantly oversold.

AI will simply be another tool. By all means experiment with it – especially GenAI, which could have some productivity benefits – but don’t feel like the company will be left behind if it does not embrace AI immediately. There are certainly challenges to be managed – not least, biased/inaccurate output, and potential data security and confidentiality risks when inputting information. The best option for many may be to wait for others to make the leap first and then learn from them.

Stay informed, sign up

Copilot for Microsoft 365: Our first impressions

Copilot for Microsoft 365 QuoStar first impressions

Copilot for Microsoft 365 was announced to much fanfare back in March 2023. It promises much: to free staff from the drudgery of day-to-day workplace tasks and in so doing unleash a new wave of productivity growth. But what’s the actual experience of using it like?

Our experts have had a few weeks to road test the tool. There are certainly some impressive features. But organisations should also be aware of what it can’t yet do, without them first spending significant extra time and resources on assessment and preparation of their data architecture.

What Copilot for Microsoft 365 does well

The bottom line is that Copilot for M365 can add value for employees using it for basic tasks in Teams, Excel, Word, Outlook and PowerPoint. In that respect, it could save users a few hours per month depending on their role. Here are our initial first thoughts:

  • The potential for time saving is clear to see, but doesn’t feel like the finished article just yet
  • Preparation needs to be done; organisations shouldn’t just dive right in
  • Word and PowerPoint Copilot work especially well for inspiration and a starting point in documents. But not to give you what you want without manual intervention.
  • It is worth the money. Even though we’ve not used Copilot to its full extent yet, users don’t need to be saving too much time in their workload for the ROI that under £30 a month provides
  • Time savings will just be the beginning. It could increase employee satisfaction, improve the quality of work and reduce digital debt
  • Remember that improper deployment without the right security measures may expose confidential company and employee details

Copilot for Microsoft 365 is particularly good at specific tasks/use cases. These include:

  • Effective meetings: Using Microsoft Teams CoPilot to take notes/summary enables users to concentrate on presenting and engaging.
  • Data Analysis: Bulky spreadsheets andare easily summarised, using CoPilot in Excel—whether that is producing diagrams, creating Pivot tables or projections.
  • Content Creation: Copilot in Word and PowerPoint is useful at providing starting documentation when users need inspiration, or for rewriting paragraphs with a different tone/language.
  • Email Processing: Copilot in Outlook can summarise emails when users have been out of the office, draft responses to emails, and rewrite emails with a different tone.

Where there’s AI, there’s risk

However, there is one major challenge for organisations wanting to jump into Copilot for Microsoft 365 from day one. It’s only as good as the policies and data they put in place. A lot of work needs to be done first to structure and segment corporate data correctly. This could run into the tens of thousands of pounds of consultancy work to review the data, understand how the organisation wants to structure it and then move it into the Microsoft cloud data storage ecosystem.

There’s a significant security and compliance dimension to this. Although we’re not talking about an open data ecosystem like ChatGPT (instead, data is restricted to an organisation’s Microsoft Graph and 365 apps) there is a risk of users inside the company accessing data they don’t have permissions to view.

Licensing costs and considerations

Stripping out the upfront costs mentioned above to get your data organised and structured, whilst the licensing cost per user for Copilot for Microsoft 365 may feel significant, it isn’t if organisations are genuinely saving those two hours per month per employee. Copilot is now available for just £27.30 per person per month, billed annually and upfront.

However, it’s worth remembering that licenses must be paid up front on an annual basis, and this will only get you the basic Copilot tool. Without an E5 license, organisations won’t have the required security functionality. There’s also functionality such as automatic subtitling of foreign language speakers that requires a premium Teams license.

Note that in order to benefit from those Teams capabilities listed above, the meeting organiser needs to have a Copilot license, which effectively means every employee needs one to be truly effective. This could significantly increase licensing costs across the organisation. Beware those hidden costs!

Organisations should also bear in mind user training is key to learn how to work with AI and provide the right prompts to get the information you need – we found the effectiveness of Copilot initially lower than expected until we knew the right questions to ask, and whilst Copilot is still developing, some time efficiencies may be eroded as users are forced to chop and change between apps.

Getting started with some quick wins

That said, there are things organisations can do today to extract value from Copilot for Microsoft 365. Consider the following tasks:

  • Summarising large volumes of emails in the mailbox to catch up/prioritise quickly
  • Drafting new emails at speed
  • Recapping Teams meetings
  • Creating new images at speed
  • Summarising lengthy documents
  • Finessing/rewriting existing content with a specific tone/audience in mind

However, to gain true value from the product, organisations will need to:

  • Reach out to third-party experts to assess and prepare:
  • Structure and segregate relevant corporate data
  • Work out data security, privacy and compliance controls
  • Purchase Copilot for Microsoft 365 and any relevant additional licenses
  • Expand and extend with third-party plugins. As the ecosystem grows, this could add significant value

It’s worth noting (as with all things Microsoft) the product is constantly evolving – Microsoft has recently announced incoming additional functionality, with Restricted SharePoint Search coming early April, focused on simplifying site audit permissions, and CoPilot for OneDrive scheduled for release in Late Aril / early May, which promised to hep users quickly retrieve information from files stored in OneDrive.

Microsoft has several resources to help organisations discover how the Copilot tool works, how to prepare their tenant, and the technical onboarding requirements for IT admins.

If you’re looking to introduce Copilot for Microsoft 365 into your organisation, get in touch with QuoStar today. Our team of Microsoft experts are here to help you get started.