Essential Cyber Security for Lawyers

The National Cyber Security Centre (a part of GCHQ) introduced the Cyber Essentials scheme as part of its mission to make the UK the safest place to do business online, and to offer businesses a simple and affordable way to tackle cyber security. IASME is the Government's Cyber Essentials partner, and responsible for delivering the scheme, with a network of over 260 Certification Bodies who are located all around the UK and Crown Dependencies. The Cyber Essentials controls help guard against the most common cyber security threats and certification demonstrates your commitment to cyber security.

Are you in the cyber hot seat?

With reams of sensitive personal data and transactions that involve large sums of money, the legal sector is undeniably a massive target for cyber crime. Cyber Security - A thematic review published last year by the Solicitors Regulation Authority reported the many costs of a cyber attack to a legal practice. Besides the obvious financial loss for both clients and practice (a loss of £4m client funds from 23 firms), the impact of a breach causes huge stress and damage to client relationships, increased insurance premiums and many indirect financial costs. For example, one firm lost around £150,000 worth of billable hours following an attack which crippled their system. pwc research showed that cyber security remains a key challenge for law firms and the sector is increasingly being targeted as firms hold both a wealth of sensitive data and large amounts of client money. Cyber risk was deemed the second greatest threat to law firms meeting and/or exceeding their ambitions, with only COVID-19 ranking higher. It has also been noted that SRA alerts for fraudulent activity are up 147% from the same period last year.

It is now widely recognised that cyber enabled crime continues to rise in both scale and complexity, with criminals taking advantage of our increased reliance on digital technology. After nearly 18 months of remote working and more services going online, many firms are looking to adopt a hybrid work model that will allow their staff the choice of flexible working. This will mean that many professionals will work more than half of their working hours outside the security of the office network. Masters of opportunism, fraudsters can create scams overnight to take advantage of change. The Solicitors Regulation Authority reported a 300% increase in phishing scams in the first two months of lockdown alone, and every day we read about another breach, or ransom attack to hit law firms . The real problem is likely to be very much larger, due to the typical under-reporting of cyber crime and secrecy surrounding cyber breaches in the legal profession. With this in mind, it is not so much if you have a cyber breach, but when and how serious.

What is Cyber Essentials and how can it help?

The National Cyber Security Centre (a part of GCHQ) introduced the Cyber Essentials scheme as part of its mission to make the UK the safest place to do business online, and to offer businesses a simple and affordable way to tackle cyber security. IASME is the Government's Cyber Essentials partner, and responsible for delivering the scheme, with a network of over 260 Certification Bodies who are located all around the UK and Crown Dependencies. The Cyber Essentials controls help guard against the most common cyber security threats and certification demonstrates your commitment to cyber security.

Cyber Security Certification will:

Help you to take control of your cyber risk

Although many legal firms outsource their IT support to third party providers and think that will take care of the problem, it must be emphasised that cyber security is not the same as IT and is not an IT problem. No matter who is looking after your technology, cyber security remains the risk and the responsibility of the senior management within your company and should always be a high priority.

The Law Society's Lexcel Standard guidance to legal practices states, "Practices must have an information management and security policy and should be accredited against Cyber Essentials. "

IASME has recently created the Cyber Essentials guide to using a third party IT provider to help you manage the responsibility of your cyber security. A comprehensive list of questions is available on the IASME website for you to download or print off and give to your third-party provider. Ask your provider to return the answers and relevant lists to you so that you can check that your organisation meets the Cyber Essentials requirements.

"Third party IT providers may look after the networks for numerous businesses and have administrative privileges to all their systems. It is vital that you are reassured of the security measures that your provider has in place to protect you and itself." Dr Emma Philpott MBE, CEO IASME.

Demonstrate your commitment to keeping client data safe

Reputation is a valuable asset and consumers are demanding evidence of a trusted, secure service provider for their sensitive data. They are increasingly aware of the threats from cyber-crime and they do not want their username/passwords compromised or their data stolen or their account hacked. Organisations need to show that they are taking cyber security seriously.

The demand for comparison websites is rising with 30% of consumers saying that they shop around before choosing their legal services provider, and 45% that they would turn to online comparison tools to help them compare providersReputation continuesto be the primary consideration when choosing a legal service provider. By achieving Cyber Essentials certification, you can prove your commitment to cyber security and stand out from your competitors.

Provide a level of Cyber Liability insurance

If your firm is UK-domiciled with a turnover under £20m and you achieve Cyber Essentials certification covering your entire organisation you will be able to opt-into the included cyber liability insurance.  This does not involve any additional cost or forms. The insurance cover includes a 24hr technical and legal incident response service. Professional indemnity polices that used to protect law firms if they suffered a cyber breach are now changing their terms to restrict cover due to the high number of claims. Getting certified is a straightforward way of demonstrating to your insurance company, your business associates and your customers that you take cyber security seriously and have your house in order.

Get started with the Cyber Essentials Readiness Tool

Many legal firms find they have got all of their resources tied up running the practice rather than focused on IT and cyber security. The barrier to understanding things associated with technology can also be a significant hurdle for firms in starting their essential journey into cyber security.

Until recently, much of the general cyber security information and guidance assumed a good level of IT knowledge. Firms have asked for a tool that can help them review their current level of protection and to obtain targeted advice on next steps. IASME responded to this need by developing the Cyber Essentials Readiness Tool, a free online tool with basic level guidance on the five key technical controls and related topics written in 'plain English'. This tool is free of charge and accessible in the form of a set of questions on the IASME website. The process of working through the questions will inform an organisation about their own level of understanding and what aspects they need to focus on. They will be directed towards appropriate guidance and, based on their answers,  be presented with a tailored action plan and detailed guidance for their next steps towards certification.

To find out more, sign up for a free webinar on Tuesday  14th September  at 12 noon. Speakers will include Lindsay Petzer from Lawyer Checker, Insurance expert, Duncan Sutcliffe and Sarah Booth from IASME.

To sign up for the webinar, click here.