How can law firms and other organizations take steps to increase their cyber resilience in the face of continuing threats? There are steps they can take
Several influential reports — as well as numerous news stories — have shed new light on some of the challenges that law firms face when dealing with cybersecurity threats. With cybersecurity breaches increasing and many firms still operating under a more dispersed workforce with increased technology risks, it is more critical than ever before to build a fully resilient cyber-defense business strategy.
Underprepared for significant business threats
Cyber-incidents are topping the lists of the KPMG 2022 CEO Outlook report and the Allianz Risk Barometer 2022. KPMG’s report highlights the rapid evolution of the cyber environment and details how CEOs recognize that they are underprepared, with 24% admitting so in 2022 compared to only 13% saying the same thing in 2021. In 2022 thus far, ransomware attacks occurred worldwide every 11 seconds (a 20% increase from 2019). Some of these attacks are high-profile breaches.
The Allianz report places “cyber incidents” as the most significant business risk in 2022, outranking more conventional business threats such as business interruption, climate change, and workforce issues. Allianz notes that its respondents say that cyber is not as well understood as some traditional threats; consequently, mitigations are less well-developed.
Right now, there are three steps law firms can take to bolster their existing cyber-risk profiles, including:
1. Enhancing hybrid workforce security
Since the global COVID-19 pandemic in 2020, many firms are still operating under a remote or hybrid workforce situation. The distributed nature of today’s workforces increases a firm’s cybersecurity vulnerability because workers either use their personal computers for work or use their work laptops for some personal tasks. Additionally, third-party apps designed to foster collaboration and increase productivity are increasingly problematic. They could open the door to a cyber-attack because many have limited security tools, their default security options are not optimal, and it can be challenging for IT teams to access an app’s cybersecurity settings.
Do your employees have the right skills to protect against cyber-attacks? One way to educate employees is to conduct cyber-crisis exercises. Best practices suggest this must happen more than once a year. A report in Dark Reading, a widely read cybersecurity news site, provides a benchmark for employee cyber-resiliency: “An analysis of more than 6,400 crisis response decisions shows that technology and financial services companies prepare the most for cyberattacks, running nine and seven exercises per year, respectively.”
2. Strengthening the partner ecosystem
Three-quarters of the CEOs in KPMG’s report say they recognize that protecting their partner ecosystem — the network of suppliers, providers, contractors, and business partners — and supply chain is as important as shoring up their own organization’s cyber-defenses. As companies and their partners increase their mutual connectivity in the name of efficiencies and cost savings, these initiatives also expose vulnerabilities and gaps in systems and processes that cybercriminals can exploit.
What can you do to beef up your partners’ risk profiles? Experts recommend an approach that focuses on three Cs:
- Tightening contracts and compliance to introduce additional controls and restricted access for third parties;
- Exploring avenues for collaboration and community to share intelligence and increase knowledge; and
- Increasing cooperation; because this issue is both global and systemic, it is challenging for a single function (IT) or entity (your firm) to do this alone. Exploring intra-industry, cross-sector, and public-private paths is essential to mitigating future cyber-risks.
3. Staying on top of technology innovations
The nature of cyber-attacks is that they are constantly evolving. While malware, ransomware, phishing, and social engineering attacks are common, newer technologies pose new risks. Security software company Symantec reports that, on average mobile app stores block 24,000 malicious mobile apps daily; while others have noted cybercrime is becoming more scalable and, therefore, more accessible for bad actors to launch more sophisticated attacks.
Indeed, the increased frequency of attacks is happening as experts are starting to realize the limitations of traditional risk-prevention methods such as standard password authentication, static networking, and trust-based security systems. But technology advancements also provide a way to mitigate this risk. Some of these are the ability to learn and modify behavior based on insights from artificial intelligence, machine learning, and adaptive networks technologies.
Given that October is National Cybersecurity Awareness month in the United States, this might be an excellent time to move beyond awareness and into taking action to better protect your firm and increase its cyber-resiliency.