20 January 2021
With pressure on employees to work harder and faster, it’s easy to think you’ve sent an email to the right person, to then realise you’ve sent it to the wrong person. But for the legal profession, the stakes are much higher. It’s not just a simple mishap to send an incorrect email, or attach the wrong document, it could spell disaster.
By their nature, law firms deal with sensitive and confidential information daily, including client financial data and insurance claims, which is subject to strict compliance and regulatory requirements. The fact that law firms rely on email to share data with relevant parties is a risk in itself – documents covered by legal professional privilege that are accidentally emailed to the wrong person could constitute a breach of confidentiality.
Law firms will implement IT security across the company, including authentication and encryption protocols. But the nature of cyber crime means that hackers are constantly striving to stay one step ahead, and as such, law firms remain vulnerable to cyber threats that focus on email as a gap in the defence.
The business landscape
While eternal threats such as ransomware attacks garner much media attention, including Grubman Shire Meiselas & Sacks, who had confidential documents stolen from their database, unintentional security incidents don’t make the headlines as much. Yet they are both as dangerous as each other. In fact, human errors are almost twice as likely to result in a confirmed data disclosure.
In a world where international communication is instantaneous, employees are under pressure to work harder, faster and smarter than ever before. As such, these human errors can be quickly attributed to busy employees juggling deadlines that don’t have the time to double check each recipient’s email address is accurate. The business landscape of today fundamentally makes mistakes more likely.
It’s impossible to predict what the precise fallout of a breach could be as the size and scale will differ. What we do know is that there are a number of variable consequences that will happen, including short and long term financial costs. The legal firm will need to run a technical audit to find out what happened to cause the breach, identify gaps in security and manage any external communications for damage control.
Consequently, the firm will need to pay penalties for the breach and invest further in security protocols. It’s also probable that the company’s credit rating will drop and the cyberthreat insurance will rise, even with additional security measures in place. Beyond financial damage, arguably the harm to the firm’s reputation will be the most painful. A breach will affect client trust, potentially resulting in the devaluation of the brand and damaged client relationships.
Second chance to double check
Given the potentially severe consequences that can come from an email breach – most law firms identify ‘protection and prevention’ as the best course for a cyber security strategy. There are three key components that teams should consider to minimise the risk of data theft:
Authentication and encryption: Hackers may try to attack your systems directly or intercept emails via an insecure transport link. Security protocols are designed to prevent most instances of unauthorised interception. Encryption and authentication, however, do not safeguard you against human errors.
Policies and training: Security guidelines and rules regarding the circulation and storage of sensitive information are essential, as well as clear steps to follow when a security incident happens. You must ensure that employees are fully aware of them and undergo training when they join the team. It is key that training is an ongoing programme with quarterly or monthly short, informative sessions delivered online. This reinforcement of the security messaging ensures that everyone is capable of spotting a phishing attack or knows how to handle sensitive information as they are aware.
Data loss prevention (DLP): DLP solutions enable the firm to implement security measures for the detection, control and prevention of risky email sending behaviours. These solutions do not impede the working practices of users but instead gives them a critical second chance to double check.
This chance to double check means that users can be prompted based on specific parameters. For example, a lawyer exchanging confidential documents with other colleagues means that there could be numerous contacts within the TO or CC fields, as well as attachments going back and forth. The likelihood of a misspelt email address or replying to a phisher is high, but with extra precautions in place, they can be prompted to check the email addresses, remove any unwanted recipients and ensure that the attachment is appropriate.
Law firms must realise that sitting on confidential and personal information makes them a prime target for hackers and cyber thieves. Your cybersecurity strategy is not a one-time or occasional solution, so it’s, therefore, time to prioritise. Risks must be regularly assessed, innovative technology implemented and workforces educated to provide your business and clients with strong and effective security against cyberattacks.