Many of our legal clients ask us how can we de-risk or mitigate cyber threats. An important question and certainly one that needs to be addressed given the high-risk nature of this profession. Law firms are keepers of valuable and very lucrative information which in the wrong hands could be destructive for the legal firms and/or for their clients. Therefore the risk vs. reward calculation a cybercriminal would perform would often lead to the conclusion that a minimally protected legal firm is a perfect target. The data also supports it. According to a survey conducted by the American Bar Association, 26% of respondents experienced a security breach in 2019. Additionally, 19% of respondents reported that they do not know whether their firm ever experienced a breach. Ignorance, in this profession, is a far cry from bliss since the duty of care holds practitioners to keep high standards.
In other articles we cover cyber threat management but this seems like the right place to reframe the discussion. The risk is not “cyber risk”. It is rather a business risk that exists because of cyber threats. The understanding that this is a business risk allows us to leverage and apply various risk-management frameworks to manage cyber threats specific to a given firm. So, which business risks could emerge post-breach?
Cyber attacks come in various shapes and colours but all share a similar goal of stealing valuable information and/or hindering your ability to operate. While the attack type may vary the consequences in this respect will not. Existing clients and prospects could lose trust in your organisation and its ability to be a confidant and keeper of sensitive information. Moreover, the breach ramifications could spill over and impact your credibility and reputation as a legal professional. In our opinion, given the legal competitive landscape, loss of reputation is one of the most serious threats for a law firm.
Privileged client information leakage
Lawyers’ work involves managing confidential client information. Legal firms are privy to the most sensitive of information such as financials, intellectual properties, commercial details, material risks, and so forth. A Legal practice that experiences a cyber-attack that results in privileged client information leakage might experience multiple consequences such as clients' departure, litigation actions, bar association punitive measures, and more.
Financial damage to the firm/firm’s clients
There are multiple types of cyber- attacks that are financially oriented. The attacker will take over part of the payment process and will fraudulently route clients’ or the firms’ funds to rouge bank accounts. The level of sophistication is so high today that most of the time those funds are virtually not recoverable. This is especially noticeable in small to medium-sized organizations mainly because firms usually invest less in protecting themselves against cybercrime or lack the knowledge to properly analyse and address the risks.
Compromised communication channels
Secured communication channels are a key enabler to allow normal business conduct for any attorney today. Unfortunately, we often see poor cyber hygiene and awareness which results in communication channels (voice, data, applications on desktop and mobile) used by attorneys being compromised. Beyond giving foothold and access to all privileged information to an unauthorized 3rd party, the threat of having compromised communications channels might lead to losing the competitive edge and the element of surprise in a court case, for example. Ever felt like the other side is always a step or two ahead?
Impact on productivity
Many are familiar with the word ransomware, but from our experience, few understand the meaning or impact of ransomware. Imagine waking up one morning, sitting at your desk and your computer is locked. You can’t access it, but you are not the only one, so are all your colleagues in the firm. The outcome? Everything is put on hold, the firm freezes operations (think billable hours) while trying to remedy the issue. If you or your firm invested proactively in cyber defense you might be able to resume operations in a day, two, or three. Less cyber-ready firms, unfortunately, spend weeks operating at a loss of 70%-80% from normal productivity levels and then struggling for weeks if not months trying to recover.
The threat of cyber for legal firms is real and, according to the data, imminent. Cyber attackers constantly evolving the ways they are able to penetrate organisations and cause damages. It is important, not to treat cyber risk as an “IT problem” but rather as a business risk that can result in serious and even going concern problems as we have detailed above.
Legal firms are in an elevated risk environment since they draw attention to both their own and their clients' accounts. We have seen cases where breaches of legal firms were just collateral damage and the true target was actually a client with better cyber protection.
How protected are you? If you cannot easily answer this question it is time to assess your cyber posture in order to protect your business. Don’t let years of hard work disappear overnight.