Current Challenges and Opportunities in the Legal Sector

Current Challenges and Opportunities in the Legal Sector: Insights from our legal roundtable

Throughout the year, QuoStar holds roundtable events for the legal sector, where a small group of attendees can get together over a three-course meal to share industry insight and best practice. At the end of April, we held our first event of 2024, with QuoStar CEO, Rob Rutherford joining myself and several Partners, Managing Partners, and Heads of IT from south coast law firms.

It was a fascinating evening of discussion, with a focus on how best law firms can mitigate mounting cybersecurity risk, drive operational efficiency and use tech innovation to gain an advantage.

Law firms in the crosshairs

Cyber risk is fundamentally a strategic business risk today – and one that impacts all legal sector organisations, no matter what their size. Attendees around the table agreed that their company is very much in the crosshairs of threat actors – whether they’re financially motivated cyber-criminals, state-sponsored hackers or even disgruntled current or former employees. Automated tools mean these bad actors can continuously probe for vulnerabilities in public-facing IT infrastructure without breaking sweat.

Their efforts are hitting home. Current data is hard to come by, but the Solicitors Regulation Authority claims that 18 law firms in the UK were hit by ransomware in 2021. Three-quarters (73%) of the firms it visited for a cybersecurity review a year earlier reported cyber-related incidents. Separate data from the Information Commissioner’s Office (ICO) analysed by insurer Chaucer reveals that the number of legal sector data breaches reported to the regulator increased 36% annually to reach 226 in 2022/23.

There are many reasons why law firms are a popular target for attack. They hold sensitive client information, handle large volumes of funds and play a key role in business transactions. The National Cyber Security Centre (NCSC) warns that firms acting for organisations that engage in “controversial” work such as life sciences or energy may also be targeted by hacktivists. The top threats to the sector are phishing, data breaches, ransomware and supply chain compromise, it says.

Time for multi-layered cyber-defence

As digital investment grows in the sector, so does the cyber-attack surface. All attendees recognised the challenge – agreeing that everyone in an organisation needs to play a part in keeping their firm safe. From a strategic perspective we recommend the following:

  • Deploy robust security controls and best practices such as advanced firewalls, multi-factor authentication (MFA), complex passwords, mobile device management, and vulnerability management.
  • Don’t ignore the human factor. Ongoing staff awareness raising and education is key to mitigating the risk of phishing, which is often the starting point for breaches
  • Put an incident response plan in place today, to enhance business resilience and minimise the impact of a security breach if one occurs. Data cited by the Law Society claims only 35% of law firms have one in place. It’s also important to test this, such as what happens if the firm is affected by Ransomware.
  • Consider obtaining a cyber accreditation such as Cyber Essentials Plus and ISO27001. This won’t stop attacks occurring, but will ensure the organisation is better placed to respond efficiently, mitigate the impact, whilst also reassuring clients. QuoStar can help by undertaking an independent audit to identify any gaps in current security posture, risk management, governance and compliance.

Risk extends to third parties

Law firms increasingly outsource parts of their IT function to third-party suppliers – whether they’re a provider of cloud services (CSP), SaaS applications or managed services (MSP). But these entities in turn can be a target for attack – making it essential that they maintain the same high level of cybersecurity as their client organisations. It is no defence to say that a third party was responsible for a breach. The regulator will generally hold both parties responsible. Nor is this a theoretical risk. A UK-based MSP was hacked last year via an exploited vulnerability and the resulting breach impacted dozens of its legal sector customers for over a month.

Attendees around the table argued that it’s not good enough to assume that larger suppliers are inherently to be trusted. Given what’s at stake, it’s vital to conduct thorough due diligence, and undertake a security audit of any prospective supplier, which QuoStar can help with. Those accredited with Cyber Essentials Plus, ISO 27001 or other standards/frameworks are a good place to start.

Gaining an advantage through AI

Finally, no roundtable discussion on technology would be complete without a conversation about the role AI could play in driving advantage. The IT and business leaders we spoke to are rightly sceptical about many of the claims currently being made by vendors about their products – especially legacy tech vendors they see as jumping on the AI bandwagon.

Most of those around the table understood AI to mean generative AI (GenAI) tools like ChatGPT and Copilot. But in fact, there’s much more to the technology than this. Law firms could utilise:

  • Pure AI, using core algorithms to develop their own AI solutions. One example we heard was a law firm using AI to predict the outcome of litigation cases
  • GenAI: AI that can produce and summarise content including text, video and images
  • Packaged AI: suppliers that have built AI features into their technology and deliver these to law firms, eg many suppliers now embed machine learning into their applications

Attendees were unanimous in agreeing that AI will play a major part in the practice of law in the future. But they also argued that headlines claiming it will replace large number of lawyers and fundamentally change the way the sector operates have been significantly oversold.

AI will simply be another tool. By all means experiment with it – especially GenAI, which could have some productivity benefits – but don’t feel like the company will be left behind if it does not embrace AI immediately. There are certainly challenges to be managed – not least, biased/inaccurate output, and potential data security and confidentiality risks when inputting information. The best option for many may be to wait for others to make the leap first and then learn from them.

Stay informed, sign up

Reassessing IT Security in Professional Services

Reassessing IT Security in Professional Services

Doing “the basics” is not enough

The landscape of IT security has shifted significantly, yet a sense of apathy remains, rooted in the scaremongering sales tactics of the past decade. Today’s reality is starkly different: every firm and individual is a potential target, and the consequences of lax security are not just damaging but potentially catastrophic, leading to public embarrassment, hefty fines, and severe business disruptions.

Alarmingly, many professional services firms are not adhering to even the basic tenets of Cyber Essentials, a fundamental cybersecurity framework. Worse still, some firms rest on the mistaken belief that compliance with such frameworks alone guarantees security. Cyber Essentials really is ‘just the basics’ – not a badge of being secure.

Technical controls like advanced firewalls and detection systems are prevalent but often give a false sense of security. The analogy of a fortress with an open back window is apt; firms have robust protections in certain areas but unknown critical vulnerabilities in others. The security measures are not as integrated and comprehensive as they should be.

A glaring gap in many firms is the absence of a solid GRC framework and an Information Security Management System (ISMS). IT security is not just about technology; it’s about ongoing processes, risk management, evaluations, reporting, and testing.

Implementing an ISMS, particularly one aligned with ISO 27001, is essential for establishing a strong cybersecurity posture. Utilising key elements of this standard can significantly bolster a firm’s defence against cyber threats, even if you don’t certify against the standard. There’s no reason why every firm shouldn’t at least have a risk register and details of the security controls associated with countering those risks. It seems odd not to do it when you understand how much common sense it makes.

Despite the technical aspects of cybersecurity, the problem is not confined to the IT department, it is a challenge that must be tackled at the board level. Many firms still erroneously view Information Security and Cyber Security as IT issues when they are, in fact, most certainly broad organisational concerns.

It is vital for the business and IT to have a clear understanding of the organisation’s risk posture; identifying all risks faced by the business and the controls necessary to manage them. Regrettably, this level of understanding is often absent within a number of IT and business leadership teams, leading to insufficient risk management strategies. As an example, I’d argue that a significant number of firms don’t appropriately assess the security of their supply chain. This is almost as if they’ve delegated accountability to their suppliers for their firm’s operation; that’s a big statement to make i.e.  ‘we are going to close our eyes and hope they’ve got it under control’.

The issue is compounded as many IT teams are currently overwhelmed in firms. They were historically tasked with maintaining operations but are now also burdened with managing numerous transformation projects post-COVID, along with a vast information security landscape to get control of. Many are really struggling, yet the board won’t assign the necessary focus or budget to really get hold of it.

Conclusion

Professional services firms must urgently re-evaluate their approach to IT security, transitioning from outdated perceptions to a holistic, board-level governance model. This shift is critical not just for the integrity of their IT infrastructure but for the survival and competitiveness of the firm in an increasingly digitized and threat-prone world.

Resolution

In response to the demands of professional service firms, QuoStar’s CISO service has been built to manage all of the key areas highlighted, from the ground up. It’s a comprehensive support service to give the IT team and the firm’s board real confidence that they are managing cyber security appropriately and effectively. In addition, it delivers:

  • Ongoing senior IT security leadership and guidance.
  • IASME or ISO 27001 implemented and managed (if desired).
  • The ability to effectively manage and respond to cyber-security threats.
  • A defined, ongoing roadmap for cyber-security protection.
  • All key documentation, policies and processes agreed and in place.
  • All key parties engaged in security standards implementation.
  • An overall definition of cyber-security strategy and tactics.
  • All key stakeholders understand the business objectives.
  • The ability to formally evidence management of cyber-security
  • Continual review & evaluation of the threat landscape to control your risk profile.

Schedule a complimentary review with a CISO and book your Cyber Maturity Assessment today.

The ransomware risks to law firms and how to protect against them

Ransomware risks to law firms

Ransomware risks are the largest threat that faces law firms today.

Ransomware attacks have increased by 288% in 2021. And, Reuters doesn’t expect this to slow down any time soon – comically suggesting that “Like ‘Terminator’, high-tech cybercrime is expected to keep coming.”

Any business can become a target to cyber criminals, but law firms are one of the top targets globally. Even a listed UK Law firm was hit by cyber-security a incident this year. It’s obvious that law firms are lucrative and have access to money, so they are often able to pay a ransom where other types of businesses might not.

However, cash flow is not the only reason firms become a target. Law firms have many interaction points and are in effect a service business – service businesses live and die by their reputation. That’s why they are a prime target.

 

Ransomware risks to law firms: why are they a great target for Ransomware attacks?

They have some great data, and that fits with the Ransomware business model. Ransomware is a revenue generator for cybercriminals. Ransomware encrypts your practice’s electronic data, and takes a copy of the data, which can then be:

  • Sold to other cybercriminals
  • Held to ransom over public release of sensitive information
  • Assumes control of your social media and broadcasts your data and failings
  • Sell the exploit details to another cybercriminal
  • Use the same exploit again and ask for another ransom

 

Are law firms financially protected from cyber-attacks?

Typically, a paid ransom will be reimbursed by Insurance, but of course only if the right controls are in place from a cyber-security / risk perspective in the first instance.

Many firms think they are protected financially by simply having insurance in place to reimburse a ransom payment. However, if there isn’t the right security in place, then insurance won’t pay out.

 

Money isn’t the only loss a firm faces when hit

Greater threats are posed, here are some other ransomware risks to law firms.

Some ransom groups will demand a ransom, but that will only be after they’ve posted all of the firm’s sensitive data, and client data onto the dark web.

The firm may be able to get operational again, but the real damage goes beyond that, as their client’s data is in effect spread globally for anyone to access. It’s easy to see that the ransom payment is just a fraction of the real cost a firm could face.

A breach means letting clients know their data is ‘in the wild’, that other parties can access it and can, in effect, use that information to do much greater damage. That’s big, it will seriously hurt the firm and all those they work with.

Regulators want to try to compound that damage. A firm is now looking at huge fines from the regulators, such as the ICO and the SRA. It’s a horrible place to be, hence the focus from those in the global ransomware business, which is now bigger than the drugs trade (the global cybercrime economy generates over $1.5 trillion).

This year 4 New Square Chambers took an unusual approach this year after they were attacked mid-June. For damage limitation purposes they took out a court order demanding the criminals not to share the stolen data. The mystery hackers were ordered to hand over any information they may have obtained by 27 September 2021 or face possible contempt of court proceedings – but only time will tell how well this has worked.

 

Risk and IT security are not separate entities

Too many in the legal industry view the ransomware risks to law firms and IT security as separate entities. They simply put being secure from a cyber perspective and all those risks down to the IT team. That’s just not going to wash with regulators, clients and very likely the media. Risk is a board responsibility/accountability, not IT’s.

Of course, the IT team plays it part. However, like every important functional operation in a firm, you need governance. The whole firm needs to be aware of its role in controlling risk, especially as most IT breaches come from an employee doing something they shouldn’t. The biggest threat to a firm’s security is more often that not going to come from something simple such as someone unsuspectingly clicking a link or giving information out over a phone.

 

IT can only so go far

New and emerging threats are often targeted at the end-user sat at their laptop or on their phone. Sure, technology has its risks, such as unpatched software or a lost laptop, but people are always the weakest link. Although employees pose one of the largest risks with one of the biggest impacts, the threats are of course much wider.

The other big risk is vulnerabilities within IT systems that face the Internet, both those run internally and through third parties, such as a website host, an IT supplier, or some form of partner organisation that links into a firm’s systems. Every link into a firm is risk. they need to be evaluated and tested. A firm should certainly penetration test their own systems, but they should also look at those they interface with, to ensure they also deal with their part of the wider risk piece.

 

So, how can the ransomware risks to law firms be avoided?

There are most certainly the basics that should be dealt with, especially where ransomware is concerned, such as:

Have you got an air gap in your backups?

Ransomware attackers want to encrypt your data. That may take you down for a few days. However, if your backups are also on the same network as your data they will be looking to ensure they are also encrypted. That leaves a firm dead in the water with no chance of recovery.

Do you have a rigid patch management policy?

Many businesses patch once a week, many once a month. That’s not enough. The IT team needs to be continually aware of brand new threats and needs to deal with them quickly, or they need to rely on a specialist IT security partner to deal with it.

Do you use a VPN to protect endpoints on public networks?

Too many firms allow their staff to connect at home or in other locations, such as hotels, over unprotected networks. That’s a risk that needs to be controlled via a VPN.

Do you consistently train and test your users how to spot suspicious email or call?

Again, staff are the weakest link and need to be able to spot suspicious behaviours online.

Do you control USB ports to ensure non-approved storage devices can’t be installed?

You can’t allow staff to plug anything into a work machine or a machine that accesses work machines without controls in place. For example, a Rubber Ducky Attack cyberattack, where a custom USB device emulates a USB keyboard to attack a workstation.

Do you have an email security protection system in place?

You do need an advanced email security protection system in place that checks both links in email and the attachments. You can’t generally rely on email provider systems, not even Microsoft’s.

Do you have next generation antivirus in place?

Traditional antivirus systems aren’t enough to protect against ransomware. Once they’ve detected it with a scan it’s too late. You need NGAV (Next Generation AntiVirus) which can spot ransomware before it does its damage.

Do you have 2-factor authentication in place?

This is probably one of the biggest protections against ransomware available. A third party can steal a password, but they cannot get access to systems without a known device.

Do you have a SIEM and a 24x7x365 SOC?

A SIEM is a Security Information and Event Management system. A SOC is a Security Operations Centre. If you’ve done the other points, then you need a system that looks for suspicious behaviour (a SIEM looks for it) and a team that can take that alert and respond (a SOC). These systems can be expensive, so you need to really make a judged call on how far you should go.

So how do you decide how far you take your IT security?

Well, first you really need to understand the all the risks you face. You need to understand what the likelihood of those risks being exploited, and you need to understand the likelihood of it happening. How do you do that?

You need a system, you need a framework. Too many firms think they have Cyber Essentials so they are secure. That’s not the case. Cyber Essentials is the very basic and doesn’t make you secure, especially not from the ransomware risks to law firms.

Have a plan for resiliency.

The only way a firm, particularly the leadership, can get a grip on IT security is to work to a governance level – to implement an Information Security Management System (ISMS). If you have an ISMS you are doing the right thing from a leadership perspective. You can know your risks, you know the controls of those risks and you can make a call on what you need and want to do – based on real knowledge.

An ISMS, such as ISO 27001 will give you complete knowledge of your risks and how you deal with them. It will also let you manage all of your suppliers and third parties, ensuring they don’t pose a risk you are unaware of.

At Quostar we have a process called “Chain of Resiliency” which highlights the weakest links in your critical systems whether cloud or traditional server-based. This is so you can estimate the cost of lack of resiliency per system appropriate to your law firm, and do a cost-benefit realisation.

 

In short, a strong Executive action plan will:

  • Copy what the big tech companies do.
  • Enforce Backup and restore process (The important bit is the restore)
  • Implement an Information Security Management System (ISMS)
  • Use risk as a management tool not as a list
  • Implement Governance over risks with key stakeholders
  • Follow best practice

 

If you’d like any advice from our CISO on your firms cyber security set up get in touch today.