Security tech and law firms: Don't just do it!
The shiny allure of technology is so enticing and the siren’s call, “Just buy this thing and all your pain will go away”, is almost irresistible.
With the proper approach, various technologies really can help firms to manage their level of risk by offering capabilities such as automated real-time threat detection, intrusion prevention, and response mechanisms, allowing firms to proactively protect their clients’ data and their own reputation. But, before you whip out the credit card, it’s important to step back and take a deep breath.
Siiiiigh!
Now (mind cleared and sales-excitement banished) consider two points:
1) Firstly, has your firm developed an initial set of prioritised, risk-based, cyber security requirements?
2) Secondly, does the technology that you are considering fit in with and address those requirements?
So, you’ve confidently answered ‘yes’ to those two questions, right? Well, then then you must have read this article, and so you’re definitely on the right track! You’ve done your homework, completed a risk assessment, and used that to figure out your priorities. That’s the way to do it! Now, you can invest in technology with a clear conscience and confidence, knowing you’ve made decisions based on solid groundwork.
Cyber tech can assist and some tech will almost certainly be required in order to secure most law firms; but even so, don’t just rush for tech! Instead, develop a prioritised set of risk-based requirements, and then select the most cost-effective tech that meets those requirements. This approach will ensure that your firm allocates resources strategically, focusing on the most critical security threats and vulnerabilities specific to its operations.
Why does cyber security remain a significant risk?
Cyber security remains a significant risk for some law firms for a couple of reasons.
Firstly, law firms are an attractive target and the size of the firm doesn’t really matter. In 2023, the Cl0p group breached Kirkland & Ellis, K&L Gates, and Proskauer Rose in the US. In Australia we continue to read about HWLE’s 2023 breach, most recently in the Feb 21 announcement that the OAIC “has commenced an investigation into the personal information handling practices of HWL Ebsworth Lawyers (HWLE), arising from a data breach notified to the Office of the Australian Information Commissioner (OAIC) on 8 May 2023.” And there was the interesting Nov 27 update in the AFR that, “Russian hacking group LockBit has removed a listing threatening to release data stolen from law firm Allen & Overy, in a sign the parties may be negotiating a ransom payment.”
Secondly, cost is an important consideration especially for boutique and SME firms that do not generally have the budgets available in larger firms. There is also a perception that due to budget constraints, smaller firms are a more attractive target for cybercriminals, and various on-line publications back this up. For example, one report mentioning the American Bar Association stated that while 20% of survey respondents (law firms in the US) overall reported having breached, in firms with 10-49 attorneys, this figure was nearly twice as large, at 35%.
As outlined above, effective security measures can only be successful if we first establish an initial set of prioritised, risk-based requirements. This risk assessment will guide law firms in understanding their specific vulnerabilities and threats, allowing them to allocate sometimes-scarce resources wisely.
With this foundation in place, law firms can then invest in the necessary technology and expertise to protect their client confidentiality effectively, as well as adapt to the evolving landscape of cyber threats.
Are you saying I need to be an IT expert as well?
No, here’s the thing. You don’t need to be a cybersecurity expert to run a law firm. Law firm owners and partners do not (in general) have the time to become cyber security practitioners. And that’s fine as long as owners and partners have enough of an overview to be able to engage with experienced and pragmatic practitioners to understand how technology aligns with their initial set of prioritised, risk-based requirements.
And to detect the smell of bull when they are being fed tech for its own sake.
Partners, directors and owners who are serious about managing their organisation’s risks will be seen raising the security bar and leading by example, because only they have the authority to set the cybersecurity direction for their organisations. By understanding cyber risk (perhaps with the assistance of subject matter experts), partners, directors and owners can communicate the importance of cyber security to their staff, fostering a culture of security consciousness that aligns with the identified risks.
In the end, it’s about protecting your clients’ data, preserving your firm’s reputation, and meeting your obligations as a business owner. And that, my friends, is a job worth doing right.