In March 2016, research by AXELOS revealed that despite processing a lot of sensitive data, law firms in the UK were highly vulnerable to cyber-attacks due to lack of appropriate cyber resilience strategies.
“For the legal sector to have effective cyber resilience it needs a two-pronged plan of action in adopting best practice,” said AXELOS head of cyber resilience Nick Wilding.
“First, they [law firms] need to assess how they can harden their networks against their critical vulnerabilities, and secondly, they need to educate their people through ongoing, engaging and practical cyber awareness learning. This is the best way to ensure the sector is fully prepared to protect its clients’ most valuable information.”
Even though Matt Torrens, the author of the research paper and a legal IT veteran himself, sounded a warning to leading law firms in the country about their cyber vulnerabilities, it later turned out that no one was listening. In the 18 months that followed, law firms across the UK lost a combined £85 million to cyber-attacks, and this now shows such firms' cyber defences and their priorities in poor light.
In fact, towards the end of 2016, it came to light that as many as 73 of the UK's top 100 law firms were targeted by cyber-attacks, compared to just 45 in 2013-14. 84% of the 73 firms later admitted that they had been victims of phishing attacks.
Peter Wright, the founder of DigitalLawUK, says that top law firms in the UK continue to remain vulnerable to data breaches and potential infections due to lack of encryption of their servers and emails. At the same time, such firms' IT systems suffer from "haphazard development", lack strategic security plans and have inherent problems.
As is the case everywhere else, law firms in the UK handle potentially sensitive and highly confidential information on behalf of their clients, and these include details of future mergers, market strategies, board communications and succession plans.
As such, any data breach of their systems can land such confidential data in the hands of unintended, sometimes malicious, recipients. It is thus pertinent for law firms to ensure their employees are cyber-aware at all times and do not fall victim to phishing and spoofing attacks originating via emails.
'You can see a big reputational threat to law firms on the wrong end of these data breach incidents. If you are a major law firm, the ability to ensure your clients’ data is kept confidential is absolutely key to your standing,' said Patrick Hill, a partner at DAC Beachcroft.