UK law firms face cyber security battles, says new report

A new report from e2e-assure has revealed significant cyber security challenges faced by UK law firms, driven by the need to prioritise business continuity over security. The findings come in light of recent research by One Brightly Cyber, which indicated a targeted campaign against law firms and chambers in London.

Insights for the report were gathered by Rob Demain, CEO and founder of e2e-assure, during a roundtable discussion held at the British Legal Tech Forum in London. The discussion involved CISOs and IT Managers from the UK 200 Group and operated under Chatham House Rules to encourage open and honest dialogue.

Key concerns identified included the issue of fragmented IT systems. The ongoing adoption of new technologies such as AI and the Bring Your Own Device (BYOD) trend has made it increasingly difficult for legal firms to maintain a unified and secure IT framework. CISOs noted that these advancements have amplified the complexities in cyber defence, particularly when employees use technology without adhering to the proper security protocols, permissions, or training.

The report highlights the rise of the "citizen developer" within the legal sector, who often prioritises task optimisation and business continuity over security, thereby creating vulnerabilities through data sharing and open data practices. The pressure on lawyers to provide clients with access to shared team environments exacerbates this issue, often leading to oversharing and security breaches.

Furthermore, friction within the legal supply chain was identified as a significant challenge, particularly between smaller and larger firms, as well as between firms and their clients and suppliers. This friction is rooted in the disparity in access to technology and differing levels of security measures. One participant mentioned facing substantial resistance from clients who do not utilise authenticators, while another flagged usability concerns regarding methods like number matching.

A critical issue for legal firms is the need for around-the-clock vigilance, given that the legal sector does not operate on a standard 9-to-5 schedule. Deals often transpire at unconventional hours, making constant monitoring essential. The report details the challenge faced by lawyers who, under pressure to close significant deals, may find their access to critical files interrupted if a potential threat is detected and the user is temporarily locked out, causing delays in deal completion.

The consensus among CISOs was that while pausing a deal may cause inconvenience, it is preferable to the potentially devastating impact of a successful cyber attack on the entire firm. "The worst-case scenario is if an attacker breaks into an organisation's environment, rather than a deal being put on pause before it can close. A successful cyber attack could lead to six to nine months of major issues, potentially even causing a firm to go out of business," said Rob Demain, CEO of e2e-assure.

The report also stresses the importance of choosing the right cyber security provider. "By working with the right provider, CISOs and IT Managers can upskill their organisation and make sure it's ready to face the realities of today's cyber landscape, which calls for immediate action in the face of a potential attack. The right provider will help both staff and clients of legal organisations understand that a little disruption is okay, but a major disruption isn't," added Demain.

e2e-assure's report provides comprehensive advice on the immediate steps legal firms can take to bolster their cyber defences, encouraging them to face today's cyber threats head-on and to prepare for what lies ahead.