By Legal Futures’ Associate Solve Legal marketing who are publishers of Today’s Legal Cyber Risk
Only 8% of small to medium sized law firms have failed to implement any cyber security measures last year.
In comparison, over a quarter of the UK’s small to medium sized enterprises (SMEs) have no cyber security measures or strategies in place.
However, according to the ‘Would you be Ready for a Cyber Attack’ survey, commissioned by Business in the Community, there is a growing disparity between the cyber security safeguards introduced by medium sized firms (50-249 employees) and the lack of importance smaller firms (up to 50 employees) place on ensuring their digital presence is secure from cyber criminals. 30% of small firms currently have no cyber security strategies in place whilst only 4% of medium sized organisations had failed to make adequate preparations and strategies.
These figures are extremely worrying when Small to medium sized organisations were the prime target of cyber criminals in 2018 according to a recent report by cyber security firm 4iQ.
The report highlights that cyber criminals are correct to target SMEs as 32% have failed to take any action relating to cyber security in the last 12 months. However, this figure exceeds 40% when contained to small organisations.
The uptake of basic and minimum cyber security procedures was also limited, especially smaller firms using basic fraud prevention strategies. Over 40% of medium firms have made the step of introducing strong passwords and a password management system. Unfortunately, less than a quarter of small firms had decided to adopt this good practice.
With so much emphasis placed on the threat of insiders to the security of data, only 15% of organisations had prioritised this in 2018. Whilst almost 35% of medium organisations have looked at staff training in cyber security and fraud prevention, less than 10% of smaller firms had looked into solidifying their employees’ understanding of cyber threats and their responsibility to the prevention of attacks.
35% of medium firms had identified and fixed software and hardware vulnerabilities that could expose their firm to cyber attacks; fewer than one in five small firms have completed this. In fact, whether it be from multi-factor authentication to reviewing third-party providers’ security capabilities, it would seem that medium organisations have prioritised cyber defences more than smaller businesses.
The legal sector was more likely to ensure that adequate implementation methods were in place with only 18% of small to medium sized firms indicating that they had taken no action. The overriding reason for small and medium law firms to improve their cyber security policies in the last twelve months was to comply with GDPR (70%). 36% were also spurred to action because of significant cyber crimes affecting the legal sector they had heard about locally or in the news.
When events in the news include massive frauds like Dreamvar or the increase in phishing successes that inflict huge financial and reputational damage to the law firm, it is clear that all law firms, regardless of size, should view cyber security measures and strategies as a basic requirement that must be implemented and reviewed regularly.