Throughout the year, QuoStar holds roundtable events for the legal sector, where a small group of attendees can get together over a three-course meal to share industry insight and best practice. At the end of April, we held our first event of 2024, with QuoStar CEO, Rob Rutherford joining myself and several Partners, Managing Partners, and Heads of IT from south coast law firms.
It was a fascinating evening of discussion, with a focus on how best law firms can mitigate mounting cybersecurity risk, drive operational efficiency and use tech innovation to gain an advantage.
Law firms in the crosshairs
Cyber risk is fundamentally a strategic business risk today – and one that impacts all legal sector organisations, no matter what their size. Attendees around the table agreed that their company is very much in the crosshairs of threat actors – whether they’re financially motivated cyber-criminals, state-sponsored hackers or even disgruntled current or former employees. Automated tools mean these bad actors can continuously probe for vulnerabilities in public-facing IT infrastructure without breaking sweat.
Their efforts are hitting home. Current data is hard to come by, but the Solicitors Regulation Authority claims that 18 law firms in the UK were hit by ransomware in 2021. Three-quarters (73%) of the firms it visited for a cybersecurity review a year earlier reported cyber-related incidents. Separate data from the Information Commissioner’s Office (ICO) analysed by insurer Chaucer reveals that the number of legal sector data breaches reported to the regulator increased 36% annually to reach 226 in 2022/23.
There are many reasons why law firms are a popular target for attack. They hold sensitive client information, handle large volumes of funds and play a key role in business transactions. The National Cyber Security Centre (NCSC) warns that firms acting for organisations that engage in “controversial” work such as life sciences or energy may also be targeted by hacktivists. The top threats to the sector are phishing, data breaches, ransomware and supply chain compromise, it says.
Time for multi-layered cyber-defence
As digital investment grows in the sector, so does the cyber-attack surface. All attendees recognised the challenge – agreeing that everyone in an organisation needs to play a part in keeping their firm safe. From a strategic perspective we recommend the following:
- Deploy robust security controls and best practices such as advanced firewalls, multi-factor authentication (MFA), complex passwords, mobile device management, and vulnerability management.
- Don’t ignore the human factor. Ongoing staff awareness raising and education is key to mitigating the risk of phishing, which is often the starting point for breaches
- Put an incident response plan in place today, to enhance business resilience and minimise the impact of a security breach if one occurs. Data cited by the Law Society claims only 35% of law firms have one in place. It’s also important to test this, such as what happens if the firm is affected by Ransomware.
- Consider obtaining a cyber accreditation such as Cyber Essentials Plus and ISO27001. This won’t stop attacks occurring, but will ensure the organisation is better placed to respond efficiently, mitigate the impact, whilst also reassuring clients. QuoStar can help by undertaking an independent audit to identify any gaps in current security posture, risk management, governance and compliance.
Risk extends to third parties
Law firms increasingly outsource parts of their IT function to third-party suppliers – whether they’re a provider of cloud services (CSP), SaaS applications or managed services (MSP). But these entities in turn can be a target for attack – making it essential that they maintain the same high level of cybersecurity as their client organisations. It is no defence to say that a third party was responsible for a breach. The regulator will generally hold both parties responsible. Nor is this a theoretical risk. A UK-based MSP was hacked last year via an exploited vulnerability and the resulting breach impacted dozens of its legal sector customers for over a month.
Attendees around the table argued that it’s not good enough to assume that larger suppliers are inherently to be trusted. Given what’s at stake, it’s vital to conduct thorough due diligence, and undertake a security audit of any prospective supplier, which QuoStar can help with. Those accredited with Cyber Essentials Plus, ISO 27001 or other standards/frameworks are a good place to start.
Gaining an advantage through AI
Finally, no roundtable discussion on technology would be complete without a conversation about the role AI could play in driving advantage. The IT and business leaders we spoke to are rightly sceptical about many of the claims currently being made by vendors about their products – especially legacy tech vendors they see as jumping on the AI bandwagon.
Most of those around the table understood AI to mean generative AI (GenAI) tools like ChatGPT and Copilot. But in fact, there’s much more to the technology than this. Law firms could utilise:
- Pure AI, using core algorithms to develop their own AI solutions. One example we heard was a law firm using AI to predict the outcome of litigation cases
- GenAI: AI that can produce and summarise content including text, video and images
- Packaged AI: suppliers that have built AI features into their technology and deliver these to law firms, eg many suppliers now embed machine learning into their applications
Attendees were unanimous in agreeing that AI will play a major part in the practice of law in the future. But they also argued that headlines claiming it will replace large number of lawyers and fundamentally change the way the sector operates have been significantly oversold.
AI will simply be another tool. By all means experiment with it – especially GenAI, which could have some productivity benefits – but don’t feel like the company will be left behind if it does not embrace AI immediately. There are certainly challenges to be managed – not least, biased/inaccurate output, and potential data security and confidentiality risks when inputting information. The best option for many may be to wait for others to make the leap first and then learn from them.
