UK law firms feeling pressure to prioritise business continuity over cybersecurity

https://www.itsecurityguru.org/wp-content/uploads/2024/07/Cyber-Security-Law.jpg

The never-ending fragmentation of IT, driven by the rapid and constant evolution of Legal Tech, is causing huge cyber defence issues for UK legal firms, according to a new report from Managed Threat Detection & Response Provider, e2e-assure. The complexity in defence is exacerbated by the rise of the “citizen developer” in the legal sector, where technology is being put in the hands of those who feel the pressure to prioritise task optimisation and business continuity over security.

The report’s insights were gathered from CISOs (Chief Information Security Officers) and IT Managers in the UK 200Group, which is the UK’s leading professional services group of independent quality assured chartered accountancy and law firms.  Members of this group shared their thoughts under Chatham House Rules at the 2024 British Legal Tech Forum in London, during a roundtable discussion hosted by e2e-assure’s CEO Rob Demain and Andrew Rose, 2018’s European CISO of the Year.

The roundtable was held as part of e2e-assure’s work to understand the challenges CISOs are facing, across industry sectors in the UK. Its drill down into the Legal sector comes following the release of its Threat Detection for Professional Services report, which asked questions of 115 CISOs and cyber security decision makers within Professional Services companies, including legal firms, with between 500-5000 employees. The report revealed that 77% had been victims of a cyber attack. A significant 69% said their current cyber security team was underperforming, and there was room for improvement.

The legal report, entitled ‘Are UK Law Firms a victim of cyber threats or underperforming SOC methods’ dives deep into the impact of new technology, such as AI and BYOD, and the difficulty of tracking who has access to data, on defence. CISOs from the UK 200 spoke about staff using technology without using the proper security, permissions, or training. This is often due the great deal of pressure felt by lawyers to give clients access to shared team environments, using their own permissions which leads to oversharing and causes vulnerabilities.

The report also unveils the friction across the legal supply chain, between small and larger firms, and firms with the clients or suppliers, driven by the difference in access to technology, and the level of security in place. One attendee spoke of “getting massive pushback from clients” because “not everyone has authenticators.” Another spoke of resistance on the “usability” of methods such as number matching.

Another challenge uncovered by e2e-assure, was the necessity to monitor environments 24/7 in the legal sector, which operates well outside the 9-5 and where major deals can take place at any moment. The report covers one of the challenges of this for lawyers under pressure to close a big deal – that access to certain files could be cut off while a potential threat is investigated – kicking the user off and delaying completion.

The collective thoughts gathered for the report reflects that CISOs in the legal sector agree it’s better to “disrupt one deal than the whole company,” when it comes to a cyber attack.

The report offers e2e-assure’s advice around immediate steps that can be taken by legal firms, supporting them to face up to the reality of today’s cyber threats. 

Rob Demain, CEO, e2e-assure, concludes: “The worst-case scenario is if an attacker breaks into an organisation’s environment, rather than a deal being put on pause before it can close. A successful cyber attack could lead to six to nine months of major issues, potentially even causing a firm to go out of business. By working with the right provider, CISOs and IT Managers can upskill their organisation and make sure it’s ready to face the realities of today’s cyber landscape – which calls for immediate action in the face of a potential attack. The right provider will help both staff and clients of legal organisations understand that a little disruption is ok, but a major disruption isn’t.”

<<<- Go Back