June 30, 2021 | Cyber security education
Why legal firms should prioritize cyber security this year
By Katie Yahnke
The COVID-19 pandemic was a major wake-up call for legal firms that haven’t yet prioritized cyber security. At least hundreds of law practices were compromised in 2020 alone, with threat actors freezing access to critical case files, exposing privileged client data, and demanding millions in ransom. Attacks continued throughout 2021, impacting yet more firms.
The truth of the matter is that all law firms are at risk of cyber attacks, especially ransomware and credential theft. But beyond the immediate impact of a security incident, as regulations continue to come into force, targeted firms could face major ethical and legal repercussions if client data is compromised in a hack.
Keep reading to discover eight reasons why cyber security should be a priority for legal firms, along with tips for incorporating it into your corporate strategy, culture, and operations.
Legal firms are a prime target for attack
Law firms are gold mines of sensitive data. The industry in general creates, shares, and stores massive amounts of privileged information, including:
- Intellectual property (IP) such as trade secrets and patents
- Financial statements
- Business contracts
- Personally identifiable information (PII)
- Electronic medical records (EMR)
- Private correspondences
Threat actors seek out this information because it can be sold for money on the dark web or used as leverage in a ransomware attack.
Already an appealing target, the industry’s move to remote work and new return-to-office strategies have the potential to make problems worse. The hybrid business model—one that combines in-office and at-home work—allowed operations to continue last year despite COVID-19 strict health measures. But it created new risk too.
As workforces become more distributed, teams will be accessing corporate networks, portals, and cloud services from multiple locations. All of this adds cyber risk if devices, software, and systems are not properly secured.
For André Martin, Co-Managing Partner at Mann Lawyers LLP, this exponentially increased the need for continual, advanced cyber security. With offices in Ottawa and Perth, Ontario, the firm provides a broad range of legal services and uses threat monitoring, detection, and response to improve its defence.
“Enabling a hybrid work environment brings security risks. Because of this, we have been especially vigilant about best security practices and proactive defence measures like threat monitoring,” he said. “I would be in a constant state of panic if not for the powerful protection we have in place.”
The definitive cyber security guide for law firms: Top tips to protect your practice
Learn more about the biggest cyber attacks on your law firm, plus what experts say are the best practices to strengthen your defence.
The number of attacks are increasing
Cyber criminals are attacking with more aggression, sophistication, and tenacity than ever before. They’re now targeting businesses of all sizes and industries—and there are three main reasons why:
- Automation. Threat actors are doing far less manual work. Instead, they are often turning to automated tools to execute attacks or outsourcing the work to someone else completely.
- Scale. It’s no longer just large businesses at risk. Hacking requires far less effort, skill, and time than before, allowing nearly anyone to execute large-scale attacks against more victims.
- Motive. Cyber crime can be a lucrative business. Hackers can make quick money by selling data—such as private client information and IP—or extorting victims for ransom.
Cyber attacks can be financially devastating
Losing access to case files results in fewer billable hours, immediately affecting your legal firm’s bottom line—but operational downtime isn’t the only financial repercussion. A 2021 report analyzing security breaches in nearly 90 countries found that victim organizations pay between:
- $250 and $985,000 for business email compromise (BEC)
- $148 and $1,600,000 for a data breach
- $70 and $1,200,000 for a ransomware attack
Between documenting the attack, responding to it, and repairing and improving your defences, costs add up fast—even quicker if you need consultants to carry out the work. If it’s a ransomware attack and you decide to pay, tack on another $150,000 or so.
In total, the cost of a data breach rose 10% over five years to an average of $3.86 million in 2020. However, that’s not where the financial losses end.
One breach can devastate a firm’s integrity
Trust is everything in the legal industry. Even a single cyber security incident can damage important client relationships, impact firm credibility, and devalue years of hard work, especially if the attack goes public and compromises client data.
After a data breach, existing clients may begin to look elsewhere for legal representation. Worse, they may file a malpractice lawsuit if you didn’t make a reasonable effort to secure their privileged information.
Plus, negative publicity could tarnish a legal firm’s name and reputation. Without public trust, it may be hard to acquire new clients or turn a profit if you plan to eventually sell your practice.
Clients care about your cyber security efforts
Cyber security is becoming a higher priority—and rightfully so. People are starting to consider an organization’s defence measures before sharing their confidential information.
In fact, the EY Global Consumer Privacy Survey found that the biggest concern for consumers sharing their personal data is secure collection and storage.
Prospective clients may soon ask about your legal firm’s incident response plan, threat monitoring and detection software, cyber insurance policy, data breach history, and access permissions. They may want to know whether you comply with data privacy regulations or follow certain frameworks before signing on.
How you answer these questions could mean the difference between signing a major client and losing out on the opportunity. Proactively building strong cyber security gives your firm a leg up on the competition.
There may be legal or ethical requirements
Cyber security regulations are heating up across every industry and nation. Depending on where your office and clients are, you may be governed by one or more data privacy laws. If you’re not sure which regulations apply to your firm, your bar association should be able to help. Common regulations include:
- The General Data Protection Regulation (GDPR)
- The Personal Information Protection and Electronic Documents Act (PIPEDA)
- The California Consumer Privacy Act (CCPA)
- The New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act
If found non-compliant, you could face six-figure fines and prosecution.
Your legal firm may also be ethically bound to take cyber security seriously. For example, the American Bar Association (ABA) states that attorneys should make reasonable efforts to protect sensitive client data from unauthorized access. Failure to do so may be seen as a conduct violation, providing grounds for victims to file malpractice lawsuits.
Cyber insurance isn't enough
A growing number of legal firms are using cyber security insurance to mitigate risk. Insurance is a necessary addition to any defence program, but typically as a last resort alongside other security measures.
Unfortunately, insurance offers little protection from an actual cyber attack. Despite premiums rising substantially in recent years, a policy won’t stop a threat actor from targeting your practice, nor does it guarantee reimbursement after an incident.
In March 2021, the New York Department of Financial Services recommended that cyber insurers stop paying ransom since doing so could encourage similar attacks in the future. Two months later, one of Europe’s top cyber security insurance providers stopped reimbursing clients for ransom payments.
Boosting your cyber security can be easy
Cyber security is always changing—new threats, technology, and risks—making it a daunting topic. But improving your defence can be easy by taking a few critical steps.
Start with cyber security education
The first step is to educate attorneys, office staff, third parties, and even clients about cyber security. Don’t assume everyone knows how to spot a malicious email or uses a password manager to create unique passwords for every account.
Our 2022 Employee Cyber Security Handbook is a great learning tool—it’s comprehensive, free, and covers all the basics.
Follow cyber security best practices
The second step is to follow cyber security best practices. Be sure access permissions are correct: only those who need access to case files get it. Keep all software and hardware updated.
Continue focusing on cyber security as your firm considers a return-to-office or hybrid work environment. Establish an incident response plan to rely on if an incident happens.
Implement a cyber security solution
The third is to choose a holistic cyber security solution. This approach ensures you get complete visibility of the full IT environment—including networks, cloud services, devices, and remote workers—and the confidence that your legal firm is secure.