The basic precautions every legal firm should adopt to help prevent a successful cyber-attack and what to look for when buying insurance by Stephen Ridley, Senior Development Underwriter and Product Head, Hiscox UK & Ireland
When it comes to choosing their targets, cyber-criminals do not discriminate. They go after any individual or business that they believe they can profit from, and are particularly interested in companies that hold large volumes of personal and sensitive client data.
It’s why law firms are such an attractive target and, despite warnings from the Information Commissioner’s Office and The Law Society, they continue to suffer from cyber attacks. Recent research from The Hiscox Cyber Readiness Report 2017 - found that 28% of professional services firms were the victims of two or more cyber-attacks in the previous twelve months.
Part of the challenge is the ever-changing nature of the cyber threat. Technology is developing quickly which means criminals are able to continually exploit new vulnerabilities. Many law firms now take advantage of cloud computing for instance, and have shifted the point of vulnerability away from the firm’s own IT computer servers but they haven’t negated the cyber threat.
In recent months ransomware has shown itself to be one of the most frequently used tactics by cyber criminals. The global Wannacry attack - caused particular difficulties for the NHS in the UK - as well as the Petya attack, all work on the basis that once hackers have obtained access to a firm’s systems, perhaps by duping an employee to click on a link in an email, they then block access to the firm’s systems until a ransom is paid.
Phishing emails are also becoming more sophisticated, whether purporting to be from someone within their own organisation - complete with a bona fide looking company email address - or simply exploiting a key date such as self-assessment tax deadlines, which can make them seem more credible.
The regulatory environment also continues to evolve quickly, next year the EU’s General Data Protection Regulation launches which includes new measures firms are required to take to
protect the data they hold and new penalties for firms who suffer a data breach.
Make sure basic protection measures are in place
Given the risks, preventing a successful cyber attack happening in the first place should be the first priority for every law firm. Robust and well tested security procedures are an important part of an overall approach to cyber security.
Basic measures should include:
- Enforce a strong password policy - longer, more complicated passwords are more difficult to crack in a brute force attack
- Back-up systems - returning to business as usual is much easier if files can be restored from a separate back-up server
- Update systems - software companies provide regular updates to their systems. Make sure all of the latest security patches are applied as soon as possible after release
- Staff awareness - employees clicking on phishing emails are the most common entry points for hackers. Everyone should be aware of the risks of clicking on suspicious links within emails.
Insure against cyber-attacks
But if an attack does get through and a data breach occurs or files are left inaccessible, what next? This is where insurance can play a major part in limiting both the financial and reputational impact.
Insurance can provide protection for cyber extortion, damage to systems, and loss of data caused by a hacker. Good cyber insurance, however, will do more than simply offer financial compensation. As soon as an attack has been notified, your cyber insurance should offer instant access to a range of specialists to help minimise the impact and get the business back up and running. These should include IT specialists as well as data privacy specialists, legal support for dealing with legal issues and the regulator, and also public relations experts who can help protect the business’s reputation.
The financial cost of an attack goes well beyond the immediacy of the attack. Loss of income from being unable to trade and through reputational damage could be significant - again, a good cyber insurance policy should help cover these losses.
Don’t wait to act
Cyber threats are now as much a risk to every business as the more conventional risks of fire, flood and professional liability. It’s more of a question of when an attack will happen rather than if. For law firms, whatever their size, taking a proactive approach to the risk will help prevent, or at the very least mitigate the impact of a successful cyber attack.
Hiscox Cyber and Data Risks Insurance is available to Law Society members with a 5% discount.
To find out more call 0800 840 2781 or visit www.hiscox.co.uk/lawsociety