Alan Pritchard, Principal Consultant, FarrPoint
A data breach is the unintended disclosure of private data. For some, this means clients’ personal details, for others, it is a leak of critical data about a major acquisition or merger. Every hour approximately 157,154 records are stolen or leaked into the public domain and the cost of a data breach has risen 29% since 2013, with an average cost per incident of $4M in 2016*.
Stricter fines are to be implemented by the EU to all companies that hold data regarding EU citizens via the General Data Protection Regulation. It can take up to 4% of the previous year’s profit, or €20M following a data breach. Although most publicised victims are banks and ecommerce giants, the services industry comes closely behind in volume and size of breaches, so perhaps it’s a timely reminder for the legal sector to ensure their house is in order.
Legal firms can be particularly prone to “phishing” as hackers seek to gain influence by posing as an employee or client of a business to intercept financial transactions. The sector deals in substantial and sensitive monetary trades each day with correspondence on purchases and property disposals being commonplace. If instructions can be intercepted and details amended by a malicious third party, the financial and reputational fallout for firms can be significant.
Firms can also be targeted in Ransomware attacks, where IT systems and data are encrypted and the business held to ransom for the key. Similarly, recent highly publicised ‘distributed denial of service’ attacks saw businesses blocked from the Internet until a payment was made.
From an organisational and governance perspective, most legal firms have a partnership structure. Firms tend to have well-established and traditional ways of working so it is perhaps understandable that updates to IT systems and technology are not always prioritised.
However change is coming. Adoption of innovative tech in the sector will be driven by new legislation and compliance requirements. Legal firms hold sensitive information that must have demonstrable levels of protection before business can be done. These requirements are only going to become more onerous.
New staff entrants are tech savvy and will expect higher levels of user experience, automation and accessibility. Security will also become a major factor for clients choosing a business partner, and they will be well versed on the risks and possible outcomes of a breach. On-site data audits are becoming more commonplace and need to be adequately addressed. Price is also a consideration for clients and smart use of tech can make for more efficient service delivery in an increasingly competitive environment.
What can legal firms do to make sure they are not compromised and how can they keep up as technology and security adapts and evolves?
Firstly they should get their house in order. Undertake a review of systems and processes, do basic cyber housekeeping, and understand how things currently work. An action plan can then be put into effect to improve, reinforce and, if necessary, obtain cyber accreditations.
Once the network and technology is in a strong, secure position, the organisation will have firm foundations to develop and exploit digital innovations. Key systems for legal companies are document management, email and client billing. Significant productivity improvements can be achieved when tech is implemented or enhanced in these areas.
The way forward for legal companies is to adopt technology that has benefitted other sectors. Storing data in the cloud, for example. The advances in security made by off-site data centres have advanced to such a level that it would be very difficult to replicate in-house. Looking at financial transactions and billing, evolving technology such as blockchain aims to provide additional piece of mind around secure transactions.
In our experience, whilst legal firms do utilise tech and are aware that risks are out there, they need to raise the bar around IT security and ensure they continue to adopt good practices.
*2016 Cost of Data Breach Study: Global Analysis, IBM