A new report published by Legal Week Intelligence, in association with Mimecast, Cybersecurity – The Race to Protect, sheds new light on the myriad technology challenges law firms currently face. The report, a product of a series of interviews with IT directors, chief information officers, and cybersecurity lawyers, captures the most serious concerns and consequences the legal sector must tangle with to navigate between the fast-morphing threat landscape and the increasingly stringent regulatory environment.
Here are five of the most noteworthy trends revealed in this report:
1. The biggest General Data Protection Regulation (GDPR) pain point is email
Law firms must factor email into their GDPR data management strategies. Furthermore, firms need to recognize that any growth through merger and acquisition can multiply the number of email systems to manage for reporting and query response purposes.
“In terms of information that’s available in our live systems it’s straightforward [to locate data], but when you start to get into things like ‘did I take a copy of our exchange server on a particular date and do I have that archived on a tape which is now stored in a secure location,’ that is a challenge,” says Matt Peers, director of information systems and strategy at Linklaters.
2. The GDPR will bring cross-border data sharing and “the right to be forgotten” into sharp focus with punitive fines for non-compliance
While the cross-border exchange of personal data and the right to be forgotten have been part of the public discourse for over a decade, the new regulatory regime will now subject law firms to potentially crippling fines.
“The GDPR has teeth,” says Roy Hadley, partner and co-chair of US law firm Thompson Hine. “It’s not that you just have to send out a breach notification letter, there’s real financial impact to you if you don’t follow those rules.”
Moreover, the confluence of heightened cybercriminal risks and more stringent regulations has instilled new assertiveness among corporate clients, who more frequently set the standards for their law firms.
“There’s more and more of a push [from clients] to enforce pessimistic security,” says Marcel Henri, global chief information officer at Dentons. “Law firms in the past have had optimistic security, so everything was shared with colleagues unless there was a reason not to share it. Now certain clients are saying ‘I want to make sure only the people working on my matter have access to that,’ so now everything is locked down to a client team unless there’s a good reason to open it up.”
In fact, IT experts acknowledge that the greatest cybersecurity risk is often a firm’s own employees, who may unintentionally infect their IT systems by clicking on something harmful.
“The reality is that most of the cyber incidents that occur are not particularly sophisticated and a large proportion could be avoided by educating staff so they can identify what a phishing email might look like,” says Simon Shooter, a partner at Bird & Bird and founder of the firm’s cyber team.
But while people are the first line of defense, the report asserts that technology is critical as a backstop for when things go wrong. Dentons’ Henri notes that among the tech tools the firm uses to minimize cybersecurity risks is the very software used by security agencies to continuously probe IT systems for weaknesses in real time.
“Big clients are now saying that doing that once or twice a year is not enough – it needs to be done all the time, and hiring a third party to do it would be cost prohibitive,” he says.
To download a copy of the Legal Week report, Cybersecurity – The Race to Protect, click here.