The legal industry is exemplary of the drive towards digitization during the pandemic. Previously known for laborious paper-based processes and administrative practices, law firms have begun to shed their inefficiencies and evolve to thrive in a more technologically savvy world.
In truth, they have little choice. With increased competition, cost control and client expectations, it’s become a case of sink or swim for many firms, with the need in many cases for an operational overhaul.
We found this out recently in our UK Legal Services Cybersecurity Survey Research Report published in May — a survey of 150 legal professionals. Here, almost half of respondents (47%) stated that they had introduced digital services.
Be it sophisticated search tools, digital case and document management, legal CRM, cloud billing and expenses systems, or online collaboration platforms, the adoption of new technologies and innovation of legal processes has brought about significant benefits to industry players.
However, there is a less positive side to this development.
With workers now spending 75% of their work day either in a web browser or attending virtual meetings, organizations’ digital footprints have expanded drastically. But at the same time, cyberthreats have also increased both in volume and complexity.
Take Highly Evasive Adaptive Threats (HEAT), for example. Specifically designed to target web browsers as the attack vector, these attacks involve threat actors using various techniques to evade multiple layers of detection in legacy security stacks and bypass common web security measures to deliver malware or compromise credentials.
The pattern is clear: as firms digitally transform and legal professionals increasingly use their browsers, attackers are adapting to target those users directly.
This makes law firms increasingly attractive targets for threat actors, especially with many legal documents now stored, collaborated on and shared online, and containing highly sensitive (or, in the eyes of threat actors, lucrative) data.
Law firms recognize the threats, but are not responding
It’s no surprise that several high-profile data breaches and phishing scams hitting large law firms have come to light in recent times.
In response, legal industry bodies are working to address the threats. Both The Law Society and the Solicitors Regulation Authority (SRA) have published advice for law firms in developing cybersecurity policies and dealing with attacks, the latter having also opened a consultation with its law firms to ask for feedback on plans to clarify the scope of cover in professional indemnity policies when a firm is subject to a cyber event.
At the same time, the Council for Licensed Conveyancers (CLC) has explored requiring law firms to purchase standalone cyber insurance in a consultation paper in 2021 as “evolving forms of cyber-risk” become more complex.
It is evident that many law firms recognise the growing number of cyber threats facing them.
According to PWC’s latest Annual Top 100 Law Firm Survey, the top 100 UK law firms stated that cyberattacks were the biggest threat to their ambitions, with nine in 10 concerned about the impact of cyber threats to their business.
However, this concern is failing to result in any meaningful action.
When asked about the advice and guidance published by The Law Society and the SRA, our survey revealed that the majority of respondents were aware of them, but only a third had read them. Equally, little more than four in 10 had checked the consultation content from the SRA.
What was also clear from our study was that a significant proportion of firms are failing to provide employees with adequate advice and direction on security best practice despite the threats. Around half of all respondents lack confidence in the cybersecurity training that they are currently receiving.
This failure feeds into other worrying statistics. Currently, around four in 10 legal professionals do not recognise that they have a responsibility to identify and report cyber threats to their firms, while more than three in 10 do not know how to deal with phishing emails.
Sustaining the benefits of digital transformation while maximizing security
While the legal sector has been quick to embrace new applications, solutions and technologies, security has slipped down the priority list. Just over half (58%) of law firms have changed their cybersecurity measures to deal with home working, while less than half (45%) have updated their cybersecurity training to address these new ways of working.
The fact that many companies have failed to implement any meaningful change suggests that they are likely using outdated solutions that simply were not designed for the hybrid or remote working models of today. It is perhaps no surprise then that almost half (48%) of respondents from our survey are not confident about their firm being well prepared to deal with an attack.
Such attitudes need to change, of course, and security needs to be further up the priority ladder in the sector.
There are some simple steps that law firms can take to improve their defences. This starts with identifying gaps in the security stack and adopting internal policies and procedures suitable for remote and hybrid working environments to effectively address new attack vectors.
The Zero Trust principle
To further bolster browser security and mitigate the threat of HEAT attacks effectively, firms should also look to adopt the principles of Zero Trust. Traditional security models operate on the outdated assumption that everything inside an organization’s network should be trusted. Zero Trust turns this on its head, taking a default ‘deny’ approach that’s rooted in the principle of continual verification.
It recognises trust as a vulnerability, and therefore ensures that all traffic – whether emails, websites, videos, or other documents – is verified.
One of the most effective ways of achieving Zero Trust in its truest sense is through the adoption of isolation-based technologies. It is a solution that shifts the point of execution for active content away from a user’s browser and into a cloud-based virtual container.
In essence, this acts as a barrier, preventing any content – including potentially malicious payloads – from reaching the endpoint. It is not ‘almost safe’ like other security solutions. It has the ability to stop malware 100% of the time.
For law firms this is crucial. At a time where web traffic is expanding exponentially and the risks are heightening by the day, isolation allows law firms to secure all employee digital activities that may unknowingly result in catastrophic consequences.
For organizations looking to offer a safe online experience, empowering users to work without worry as they keep the business moving, isolation technology is the only answer.
