With the European Cybersecurity Month running this October, there’s no better time to speak about cybersecurity and the challenges law firms face.
To find out more, we asked the President and Vice-President of the Intellectual Property, Technology, Media, and Telecommunications Commission, Árpád Gered (Maybach Görg Lenneis Geréd Rechtsanwälte GmbH) and Silvia van Schaik (bureau Brandeis).
What are the challenges of cybersecurity for law firms?
Árpád: The biggest challenge is that law firms often don't consider themselves valid targets. In many cases, this leads to firms taking the minimal necessary technological precautions but forgetting about the appropriate organisational measures. This includes first and foremost educating all collaborators in a law firm on the importance of those precautions and that they can only be effective if they are upheld by all concerned.
After all, according to the ENISA Threat Landscape Report, the top five cyberthreats target the people having access to target systems rather than the systems themselves. Thus, with appropriate technological measures and the proper education of all collaborators, even law firms on a tight budget should be able to counter a significant number of threats.
What about the challenges for smaller law firms with smaller budgets?
Silvia: I believe that large firms and firms that are well known are more likely to become victim to a ransomware attack. Smaller firms may struggle more with finding affordable, practical and safe solutions, for instance for remote working. It’s not always easy to find a balance between safely storing and sharing documents and being able to work.
How can law firms overcome these challenges?
Árpád: As with every potentially challenging situation, effectively facing cyberthreats starts with consultation by experts in that field. While the concrete measures to be taken may vary from firm to firm, in all cases they should cover the ‘CIA-Triangle’: Confidentiality, Integrity and Availability.
Confidentiality means measures to restrict access to the information to authorised persons, e.g. training of personnel, authentication of users, classification of data and users. Integrity refers to measures to ensure that the information can't be altered or deleted erroneously, be it unintentionally or on purpose, e.g. permissions, version control, redundancy plans. Finally, Availability relates to measures to ensure that the information is always available to the authorised persons, e.g. failover and redundancy measures, geographically separate backups, disaster recovery plans.
Silvia: Involving experts is indeed important. Those experts should also truly understand what the work of a lawyer entails. In my experience, it’s difficult to find such experts, especially at a reasonable price. Furthermore, lawyers should have proper tools and receive training about cyberthreats and what they can do about it. Enough time and budget should be allocated for doing that.
We see that legal services are more and more embracing new technologies. But it’s time to also take a closer look at the skills available in the legal profession to ensure good cybersecurity practices are in place. In this regard, to what extent is the legal profession equipped with the necessary skills?
Árpád: In countering cyberthreats, the legal profession is not any worse equipped than other businesses that have traditionally worked with analogue media and now discover that the core of their business has been digitalised. The legal profession insofar has even an advantage over other lines of business, as secrecy obligations have always been among the core values. However - nowadays - the process is more complicated than locking up the files in the cabinet at night.
One major skill that is currently often lacking (but not only in the legal profession) is the understanding of what sharing of information over certain means might entail. While a firm might make available appropriate tools or services (e.g. secure online storage and file exchange services), it is nevertheless the people working with the information who need to understand why they shouldn't use any non-sanctioned tools or services. This is especially important in the legal profession, where confidential and sensitive data is regularly processed.
Silvia: I believe that most lawyers have the skillset but don’t always know what tools are available and how they can use them. However, I also believe that cybersecurity, or even IT in general, is still often seen as something secondary to our core business. What can be done more? Truly make cybersecurity a priority at the board level of all firms. Our clients trust us with their information, so we should do anything to make sure it is safe while also being able to do what our clients hire us for!
To find out more about the European Cybersecurity Month, please visit the dedicated website: cybersecuritymonth.eu.