In a recent SRA (Solicitors Regulation Authority) survey, 75% (30) of law firms reported that they had previously been a target of a cyber attack. Furthermore, 76% of these affected firms reported a combined theft of more than £4m of client funds. And although not all firms affected by a cyber attack resulted in financial loss, the reputational impact can be long lasting and more difficult to recover from.

(Source - https://www.sra.org.uk/sra/research-publications/cyber-security/)

The threat to the law sector continues to grow, driven in part by a shift in strategy by cyber criminals. Malicious actors are diverting their efforts away from multinational organisations that possess advanced cyber security capabilities to smaller entities with security gaps that are significantly easier to exploit. Given the sensitivity of the data held by law firms, combined with access to significant pots of client funds, this presents an appetising market for criminal entities.

In any industry, cyber security can be a difficult metric to measure. So, as a law firm, how can you accurately benchmark risk vs resilience?

Identifying risk doesn’t need to be a negative experience. In fact, it can be turned into a positive driver in your law firm and something that helps build trust among your clients.

For the team at Vertical Structure, it all begins with continual investment, and not just in a financial sense. This investment can come in many shapes and forms, with one of the most important being cyber awareness.

It goes without saying that the more awareness you possess, the better you can mitigate against falling victim to cyber threats. But where do you start?

Cyber Security Culture

Cultural change is one of the most effective methods of building awareness across an organisation. It also happens to be free. Given that most data breaches involve an element of human error, building a cyber culture within teams should be a priority in your journey to becoming more aware as an organisation. This doesn’t mean training every member of your team to become a cyber security expert, it simply means opening regular and transparent dialogue about the real threats to your business and the potential impact should you be compromised.

For example, talk about the phishing emails you receive as a company, making staff aware of their existence and that they are indeed malicious. Add cyber security as a topic in your board and team meetings and discuss the challenges as a group. Talk about the potential scenarios and how you would respond should you be subject to a ransomware demand. Activities such as these will help you advocate healthy cyber security practices within your team and build awareness as a by-product.

However, cultural change isn’t enough on its own. It’s important to implement further proactive measures that help build awareness and physical security for your data and funds. The following measures are great practices for law firms seeking to benchmark their cyber security and build upon it.

Staff Training

How can you protect against threats if you don’t know where or what they are? Regular cyber training for your staff offers a glimpse of your business through the eyes of a bad actor. It not only builds awareness but also demonstrates industry best practices for mitigating threats. It’s a quick and effective manner to allow your staff to bring their new knowledge back into your workplace and identify weaknesses within your existing security.

Cyber Clinics

One-to-one sessions with seasoned security consultants are an incredibly efficient method to identify the most critical gaps in your security. They act as a gap analysis tool to highlight and prioritise areas for improvement, including the risk they present to your organisation.

Cyber Essentials and Cyber Essentials Plus

The National Cyber Security Centre’s initiative to up help UK businesses up their cyber security has been a hugely successful scheme, particularly for law firms in Northern Ireland. As a certification, it not only conducts a gap analysis but requires you to meet the minimum security as outlined in the standard. This not only gives you peace of mind knowing that you’re protected against the most common forms of cyber attack, but also demonstrates to your customers the measures you’re taking to safeguard their data and funds.