A cybercriminal doesn’t look at businesses by industry or the size of your business, they are looking for vulnerabilities. But, as a law firm you will regularly process large financial payments and handle sensitive customer data which can make you more of an appealing target.

The Solicitors Regulation Authority (SRA) published the following report in 2020, ,Cyber Security – A thematic review. One of the focus areas in the report was cyber security training and how having a basic knowledge of cyber security and mitigation against cyber-attacks are linked.

Cyber security is not just a responsibility of your IT department, everyone within a law firm must have a general level of knowledge about the topic. With the scams in cyber and technology evolving on a daily basis, training staff regularly is one way that law firms can mitigate the risk that cyber-attacks pose.

The Solicitors Regulation Authority; Cyber Security - A Thematic Review

• 20% of firms had never provided specific cybersecurity training to their staff, with the majority never keeping records of who had received training
• Whilst 93% of firms had a firewall in place, more than half of firms allowed external data sticks to be freely used and plugged into their machines
• Despite 73% of firms reporting any recent incidents to the SRA, seven reports were not made, despite clear and significant breaches

"Cyber security is an issue for any process which is wholly or partially reliant on technology, including those facilitated online, via email or through the use of any computer or device. However, ultimately it is a broader risk than the use and maintenance of technology alone. Firms need to have suitable knowledge and oversight to ensure they maintain a strategic approach to technology and security across the whole firm." Quoted from the SRA Thematic Review 2020

Different employee roles present different risks

Different employee roles present different risks, the SRA report asked senior figures and fee earners for their understanding of some common cyber security terms. Of the senior figures, over 50% of those asked said they understood the following terms Phishing, Ransomware and Malware. However, of the fee earners, 55% said they didn’t understand the term ransomware or virus.

Uneducated employees can be a bigger risk for legal firms, one firm revealed that around £150,000 of billable time was lost due to a ransomware attack initiated accidentally by a fee earner, which is unsurprising when the understanding of ransomware is so low.

Despite this, the report’s findings on when specific cyber training was last provided, revealed that just 26 firms had provided training in 2019, and 20% of firms had never provided specific cyber security training for staff.

With 27 cyber-attacks resulting in firms losing office or client money, all but one firm introduced mitigation that they believed would prevent a similar event from occurring. With 62% of the cyber-attacks, the cost of the mitigation was less than the initial loss incurred by the firm highlighting the need for cyber security to be a regulatory requirement.

If your firm has yet to implement a ,Cyber Incident Plan, we recommend you download our pack which contains documents to help support your business plan its response to a cyber incident. These documents are designed to complement any existing plans or assist you in creating one.

Enquire about Security Awareness Training today

Here at the North West Cyber Resilience Centre, we offer ,Security Awareness Training that provides an introduction to cyber security, why it’s difficult, the latest threats and who it can affect. The training can be delivered virtually or at your offices by our security experts. Each of the modules is delivered to suit the knowledge levels of those attending the training, with the content broken down for all knowledge levels.

The training is designed so you can transfer the behaviours to both personal and business activities. If a cyber-attack has happened to your business previously, we can help further educate your team to better understand how to protect your organisation and minimise the risk of this happening again.

Security Awareness Training not only features prevention techniques but also includes how to manage the situation if you do suffer an attack. Training can also be bundled together with a ,Simulated Phishing Exercise, which helps to raise your staff's awareness of phishing emails and guards your business against the growing trend of social-engineering threats. By training your employees about what a phishing attack looks like, they are more likely to identify and report scams.

If you feel our Security Awareness Training or Simulated Phishing Exercise could benefit your legal firm or a business from your supply chain ,get in touch and we can discuss how we can support you today.