SECURING THE LAW FIRM
5th July 2022 • Park Plaza Victoria, London, UK
Cybersecurity and privacy for virtual working processes
For legal firms, remote and hybrid working is here to stay. Are we really ready?
Costs versus risks – a difficult conversation?
In its annual top-100 survey of UK law firms , PwC said 90% were “extremely or somewhat concerned” about the impact of cyber threats on their ability to achieve their ambitions over the next 12 months, even though only 4% had experienced a ransomware attack – the commonest attack type – and none of the firms involved were in the top 50.
In three-quarters of cases, cyber-attacks were the result of “unintentional actions taken by staff” rather than “malicious actions by staff” (2%). In almost all the other cases, firms said they did not know what caused the attack.
“The increase in remote working as a result of Covid-19 has made it increasingly complex to understand which employees pose an enhanced threat,” PwC said. “Law firm cyber leaders should gain a better understanding of human behaviour demonstrated by their employees to make a difference to security culture.”
Most law firms will have had some level of remote working before the pandemic and many say that after the initial shock of extreme lockdowns the adaptations they required to security processes were reasonably straightforward and have been implemented. But as we move into a period in which a significant proportion of employees prefer to work at least partly at home, is it really true that inherent cybersecurity risk has stayed the same?
At the same time though, the PwC report incidentally highlights the relatively low level of realised cyber-risk relative to the fear of attack. This gap creates a difficult problem for senior management. A recently revealed cyberattack on the UK’s Foreign, Commonwealth & Development Office (FCDO) cost £467,325.60 for “business analyst and technical architect support to analyse an authority cyber security incident” that concluded January 12, 2022.
For most organisations spending that amount of money on one incident would be at best annoying and at worst unaffordable, particularly if they were already paying for a security stack, external pen testing, consultancy and everything else that goes with maintaining effective cybersecurity.
So if law firms are avoiding material attacks with current levels of spending, what is the evidence that they need to do more?