Do Law Firms Consider Cyber Security Approaches And Human Vulnerability?

Cyber security breaches have cost mid-tier businesses over £30 billion in the last 12 months.

Human error and the undervaluing of cyber security strategies are still huge vulnerabilities in the protection of a firm’s digital presence and sensitive data according to a recent study, conducted by accountancy consultants Grant Thornton, who reviewed 500 UK business leaders whose firms produced revenue between £15 million and £1billion.

The results were clear: too much money is lost to cyber criminals, mid-sized firms are failing to prepare for an attack and management structures do not give the issue the respect it deserves.

Too many mid-sized firms feel as though they will not be targeted by cyber criminals and therefore under prepare for attacks. Whilst 46% of large organisations follow minimum cyber security recommendations, including cyber essentials, this drops to fewer than a third (31%) of medium sized enterprises.

Similarly, only 48% of medium sized firms carry out risk assessments, and 55% complete cyber health checks. In comparison, larger firms are consistently more prepared.

To a large extent, this lack of preparedness stems from the poor level of consideration given by management and board level employees. Just over a third (37%) of boards reviewed cyber security approaches and only 41% have a detailed incident response plan.

Overall, this has had a significant impact on the revenue of UK businesses. Over 50% reported cyber losses of between 3-10% of the firm’s annual revenue. Some even reported losing in excess of 25% of annual revenue to cyber criminality.

More than financial losses, firms recognise the social and long-term businesses losses incurred because of a cyber breach.

58% were worried about the reputational damage a cyber attack will have on the business, 45% were concerned by the clean up cost implications, 44% were concerned by the management time it would take up whilst a third were worried that a cyber attack would affect consumer behaviour.

Despite these significant business concerns, only 36% trained their staff in security awareness.

The threat of human error was also highlighted last week through a freedom of information request (FoI) to the Government, made by MobileIron.

The FoI request found that 508 Governmental owned electronic devices were lost between January 2018 and April 2019. Whilst it was unclear whether the devices were password protected, encrypted or had the technology to remotely wipe the data, it is clear that human error was responsible for causing the vulnerability and potential leak of sensitive information.

James Arthur, Head of Cyber Security at Grant Thornton, commented:

“It’s the equivalent of thieves driving down a street to see who’s left their door open. Criminals exploit the vulnerable networks they identify or sell the list of promising targets on to others eager to exploit the opportunity. If your defences are not up to scratch, you could already be on a list.

“The reality is that it’s not the size or profile of a business that attracts the interest of cyber-criminals. They have increasingly sophisticated targeting tools and are using these to launch an increasing volume of attacks against anyone who looks like they have weak defences. It’s not personal – it’s just business.”

David Critchley. MobileIron UK and Ireland regional director, commented:

“As the amount of business data that flows across devices, apps, networks, and cloud services continues to increase, it is essential that organisations have the right security protocols in place to minimise risk and prevent unauthorised access to sensitive data if a device is lost or stolen. Even one lost or stolen device provides a goldmine of readily accessible and highly critical data to potential fraudsters and hackers.”

Does your law firm have clear cyber policies and training structures in place?