• Only a third have read industry guidance on how to deal with a cyberattack
• Minority of firms updated security training to address new services and ways of working

New research among 150 legal professionals in the UK published today suggests that the risk of cyberattacks is a growing concern for most law firms, although there is a worrying minority that is still complacent about the risks.

The survey conducted by IRN Research and commissioned by Menlo Security, a leader in cloud security, found that respondents are most concerned about the impact to a company’s reputation as a result of a cyberattack, with 92% admitting it could be damaging or very damaging. There are also concerns about a firm’s inability to continue operating (90%) and the risk of data loss (87%).

According to the survey, more than three-quarters (77%) switched to remote working during the pandemic, and 56% of those are in law firms that have changed or updated their cybersecurity measures to deal with this. Only a minority (45%) of these firms have updated their cybersecurity training to address new ways of working, leaving possible gaps in employee training and awareness. 

In addition, just under half (47%) of firms introduced more digital services for clients during the pandemic. Of those launching additional services, 77% updated their cybersecurity measures as a result. However, only 47% offered additional security training corresponding to the new services.

Worth around £37 billion, the UK legal market is an attractive target for cybercriminals due to the large quantities of confidential information, financial documents and highly sensitive client data that law firms handle and process. According to IBM’s Cost of a Data Breach Report 2021, the average cost worldwide of a data breach for professional services organisations was $4.65 million.

A quarter (26%) of legal professionals work in a law firm that has experienced a cyberattack. A third of these respondents say the attack closed services and operations for a few hours, but nearly one in five (18%) experienced delays of one or more days. The majority of firms (57%) have procedures in place to deal with an attack, leaving a sizeable minority (43%) that are not fully prepared.

Published industry guidance not acted on

In the last 18 months, both the Solicitors Regulation Authority (SRA) and The Law Society have published guidance notes on cybersecurity, with advice for law firms on how to develop their policies and procedures accordingly. The SRA also opened a consultation with its law firms to ask for feedback on plans to clarify the scope of cover in professional indemnity policies when a firm is subject to a cyberattack, the results of which were published last October.

More than six in 10 (64%) are aware of the SRA guidance and two-thirds aware of the consultation, but only 35% have read the guidance, and 41% the consultation documents. In terms of The Law Society guidance, just over half (54%) are aware of it, but only a third have actually read it.

“It’s interesting to see how different industry sectors manage security threats,” comments Mike East, VP Sales EMEA at Menlo Security. “We expect the legal profession to be prepared and well organised to deal with cyberattacks, given the extremely sensitive nature of their work and the fact that increasingly, legal documents are being created, collaborated on, and shared online.

“What’s clear is that the transition to new ways of working – and the fact that legal professionals are often dealing with multiple parties – makes them a serious, and often easy, target for cyber criminals. Menlo Security recently highlighted the growth in HEAT (Highly Evasive Adaptive Threats) attacks, largely a result of hybrid and remote working with employees spending much of their working day in the browser accessing cloud applications. HEAT techniques are often used by attackers to bypass a company’s traditional network security solutions and infiltrate networks.”

He adds: “While the legal industry is taking action to address the challenges with guidance and advice, it’s concerning that more are not acting on it. At the very least, law firms should be updating their policies and procedures, training staff, and looking at gaps in their security stack to address the potential risks of remote and hybrid working.”

Additional survey findings:

• Almost three-quarters (74%) of respondents see phishing emails to clients as either “threats” or “significant threats” to the legal services sector overall, while 60% give a similar threat level for these phishing emails when it comes to their own law firm.
• In general, cybersecurity issues are seen as more of a threat to the legal services sector overall compared to their own law firm. The exception is mobile phone-related security threats, with 60% seeing these as “threats” or “significant threats” in their own law firm compared to 54% for the legal services sector overall.
• Ransomware and malware on websites are seen as less of a threat for the legal services sector by a third of respondents. Malware on websites and ransomware are considered even less of a threat to specific law firms – 37% and 35% respectively.
• More than a third (37%) suggest that their firm’s cybersecurity measures have had an impact on their productivity, but around half (51%) feel that there has been no impact.
• One third of respondents feel “responsible” for identifying and reporting a cyber threat while 28% feel “very responsible”. Almost 1 in 5 (19%) believe it is not their responsibility to identify and report these threats.
• Just over half (52%) work in a firm where there is a dedicated person to deal with cybersecurity, but in 38% of firms, there is no dedicated resource.