Mark Belgrove, Head of Cyber Consultancy at Exponential-e, explains why law firms need to take back control of their data.
Cyber threats are not new for the legal sector. However, the speed at which they’re evolving is causing issues for all industries. Today, the threat of ransomware, and the data stealer Maze, currently presents one of the most imposing threats the legal sector is facing. When a firm is hit by Maze, its data is both encrypted and duplicated, so criminals also retain a copy of it. For many firms, this has led to a double payout, which involves paying both for the data to be unencrypted and for the duplicate copy to be returned. This is a crippling financial prospect.
I have even known a lawyer to walk into court with his case file prepared on a mobile device, only to find it had been encrypted and rendered inaccessible by a ransomware attack just as he was about to present his case. This put the case on hold and ultimately delayed the course of justice.
Many law firms are now experiencing rising demands from customers for them to be cyber secure, particularly when it comes to government contracts, which require companies to be Cyber Essentials certified as a minimum – a government-backed scheme to help firms protect themselves against cyber-attack. Many firms have also been told they need to be ISO 27001 certified, which is an international standard that shows your company is dedicated to following the best practices for information security. This has forced them to realise the importance of data governance, especially thanks to several challenges the pandemic has presented, and on a longer-term basis, the implementation of GDPR.
Version history nightmare
Before COVID, many businesses in the legal sector were only prepared for around 50% of the workforce to work from home at any given time. So, when the lockdown was put in place, there was a rapid transition to a new remote working model. It was what I like to call a “Blue Peter moment”: one when firms simply put duct tape over obvious cracks in their IT infrastructure, so IT could fulfil the short-term demands of the business. But this behaviour compromised the safety of the sector’s data in two specific ways.
Firstly, lawyers began downloading files and working on them offline at home, while neglecting to upload revised versions. This has created a huge version history problem for important case files, which is proving extremely time-consuming to resolve and disruptive to numerous cases.
Data disclosure presents another issue. Due to being provided with poor home working equipment, many lawyers downloaded data and files onto their personal devices, which lack enterprise-level security and are more vulnerable to cybercriminals.
Firms are therefore realising that they need better data controls in place to prevent these issues from becoming problems again in the future and ensure hybrid working models can be made a success in the industry.
GDPR limbo land
A longer-standing issue for legal firms is their ability to adhere to GDPR despite being required to by law. It’s a necessary evil that requires the implementation of strict data controls to create an inventory from which they can identify, label, and search the personal data they are responsible for.
One of the key problems is that many law firms still don’t even realise they need to adhere to GDPR three years on from its introduction. In fact, some don’t realise much of the data they hold on their high-net-worth or celebrity clients is indeed classed as personal, and as a result, aren’t yet compliant. Many are also struggling to become compliant simply due to difficulties in identifying and securing all their data.
There are two key reasons for this. Firstly, most firms and their employees previously didn’t have to worry about the data they held or its retention, so they had hard copies lying around on shelves and in storage. Many firms also still work from legacy databases that can’t be searched and can be very complex to modernise. Rather than investing in solving these legacy issues, they often prefer to create new systems.
This leaves them in a sort of ’compliance limbo’, in which they are halfway to compliance, but still in breach of GDPR requirements due to the difficulties they face in navigating their insecure, legacy environments.
Work with a partner, not just a provider
IT partners have the direct experience and skills needed to help legal firms adopt the appropriate data controls and security processes they need to meet compliance requirements. But if you’re considering external support in navigating this challenge, then it’s critical to opt for a partner, and not just a managed security service provider (MSSP). Some firms have made the mistake of signing up with providers, not partners, who aren’t able to offer the same consultancy and guidance. They simply do what the contract says. A genuine partnership, however, should be a two-way street in which you look after each other and communicate effectively.
Cyber as the new battleground
Embarking on data transformation and discovery projects that are led and supported by expert partners will be vital if law firms are to succeed in the new digital, hybrid working age. They must act to prevent the mistakes committed during pandemic from becoming long-term vulnerabilities, as cyber security and data protection emerges as a competitive battleground for legal firms all over the world.