40% + of legal practices didn't update their cyber security policies to include remote working

Can you remember the last time your law firm's cyber security policy was updated or when you last received cyber security training? Worryingly, a survey of 3,500 companies by software provider Access Legal found that over 40% of practices have not fully updated their cyber security policies since moving to remote working in March last year.

At the start of lockdown, the Solicitors Regulation Authority warned of the risks of homeworking to cyber security, publishing extensive guidance for firms. Over the last 18 months, all businesses including law firms had to make huge changes to facilitate running operations from physical premises to remote working, enabling lawyers and staff to work effectively from home.

Firms were warned that with such changes taking place, due diligence must be carried out as normal. If they failed to do so, then they'd be at risk from breaching your regulatory duties and you also risk a cyber attack.

Specialists also warned firms that cyber criminals are becoming increasingly sophisticated and targeted. In one case involving a law firm target, criminals attempted to create a standing order for £4,000 a month from the firm’s client account.

Other attacks could come in the form of cyber criminals taking advantage of remote workers using their home Wi-Fi, using personal devices for large volumes of legal and other work that they would not normally due. There is the risk of being overlooked, of hacking into web cams, cameras and Zoom meeting interlopers.

Many solicitors’ firms believe that because they have an IT company providing support that they have adequate protection, however IT support is not the same thing as cyber resilience. IT professionals can implement new technology to help an organisation grow including improving communications and facilitating sharing of information, while cyber security is about protecting electronic data, with safeguards against network intrusions.

Supplying a legal firms supply chain

Recently they appear to be targeting barristers chambers. Clients usually vet their supply chain for cyber weakness, but these attacks are forcing the bars to review the security of their own instructed barristers, especially when individual cases are particularly sensitive or carry high monetary value.

The Bar Council said the attacks ‘should act as a wake-up call for everyone to check the security of their information networks and that their critical business interruption plans are up to date and effective. This is particularly the case where so many barristers continue to work from home. It is not only chambers’ systems but home systems which are vulnerable to attack.’

How can The Cyber Resilience Centre for the South East help your practice?

The SECRC provides guidance to businesses in the Eastern region with the aim to increase their cyber resilience. Our free membership gives businesses a weekly email about one specific aspect of cyber resilience that you may want to consider implementing, as well as a monthly newsletter about the key trends within the region.

For those wishing to up the level of financial investment into cyber security, the SECRC also offers additional, affordable solutions through our student services team which is led by top university talent who are supported by seasoned cyber experts. One of those is our Cyber Security Policy Review.

A business’s cyber security policy is key in minimising these threats posed by cybercrime. The policy helps clearly outline the guidelines for a business’s physical and digital cyber security.

A cyber security policy should be easy for the whole business to follow and for senior managers to enforce. Each policy can be tiered to support the needs and size of the business in question.

Our Cyber Security Policy review will dive into your current security policy, looking at how it is written and how it is implemented. We use key elements of the international information security management systems standard, ‘ISO/IEC 27001:2013’ as a model for security policy reviews to identify any gaps, and to ensure that policy, procedure and technical controls implemented by your organisation are based on coherent risk management.

A Scottish university purchased 100 USB devices via an online auction site and when they received the devices it was discovered that over 75,000 files remained on them. These files included Tax returns, contracts and bank statements which are all forms of confidential and sensitive data. This data being retrievable could have led to multiple cyber-attacks taking place, and the recovered files could have been used to access any accounts linked to the sellers if the passwords were still valid.

This is an example of where a cyber security policy could have helped to prevent a cyber incident as the policy would have detailed exactly how to wipe files and data from pre-used devices.

If you’d like to know more about how to protect your business or to speak with us about other cyber security services we offer, please drop us a line to arrange a 30-minute chat.