Six lessons learned about cyber security

A new report from the Solicitors Regulatory Authority found critical gaps in cybersecurity measures being taken by law firms. Access‘ regulatory director Brian Rogers discusses six of the report’s big learnings.

The SRA has advised law firms that “it may be better to ask when, not if, you will be targeted by online criminals” – a point that was driven home in its latest report on the thematic review of cybersecurity, based on visits to 40 law firms and recording their detailed findings in September 2020. The thematic review aimed to find out the main reason(s) why law firms were failing to address cybersecurity risks, so they could provide support. From the sample, it’s clear that most were following best practice and keeping their firms secure, although it is useful to study the failings that were uncovered.

1. Continually bolster your policies & controls

Every firm should have a robust cybersecurity policy in place that should be front of mind continually. Just under 75% of the 40 firms visited by the SRA for thematic reviews were found to have adequate cyber related policies in place, leaving just over a quarter needing to put in more effort in terms of improving their cybersecurity situation.

2. Make sure your training is up to the mark

With 20% of the firms visited having never provided staff with specific cyber training and 50% having provided it but not recorded details and evidence of the training, there is room for improvement. Training is paramount to enable individual solicitors and their firms to be able to sign-off on their competency statements. The training records are required as proof that the law firm workforce – as a whole – is equipped to act in the best interests of clients and to protect clients’ assets and their money.

3. Take data storage & encryption seriously

Half of the 40 firms visited were found to have allowed unrestricted use of external data-storage media, with 25% of firms not encrypting their laptops. According to SRA recommendations, it is essential that policies and procedures reflect the risks posed by allowing staff to use external storage media – both in terms of exposing the firm and its clients to viruses, as well as the risk of compromising client data. A lack of encryption is particularly risky for the safe keeping of client data, when staff are working on their devices remotely.

4. Log and report incidents

The SRA found seven significant incidents that should have been had not been reported to the body, while 24 firms had not kept logs of cyber incidents. Some said they had kept details but were unable to produce them when asked to do so – exposing themselves to potential action for misleading their regulator.

5. Set a cybersecurity budget

Setting aside a budget for specific cyber risk areas is a sure sign that a firm is taking cybersecurity seriously. The SRA found that only five of the firms visited had cybersecurity budgets in place – questioning whether firms are seeing cyber crime as a high enough priority.

6. Regularly share real life stories with staff

Sharing real examples of what’s happening with other firms is one of the best ways to emphasise the importance of cybersecurity to your workforce, and the role each person in your team must play to keep you safe from so-called ‘hacktivists’.

The SRA and The National Cyber Security Centre are trusted resources with an excellent news page, highlighting what is happening in the world of cyber scams.  Access Legal’s digital learning and compliance team, also offer templates for security policies, cybersecurity training programmes and tools you can rely upon. We are also continuously adding new resources for law firms to keep up-to-date with relevant information.