Information security is an ever-increasing threat to the reputation and brand of a law firm. Over the last year, there have been a number of high profile cyber-attacks, and 62% of law firms reported that they had suffered from a security incident (up from 45% in 2014). The greatest vulnerability is through targeting the workforce, with the majority of all breaches in our experience being due to staff falling victim to phishing attacks (fake emails or websites).
Internal Audit functions remain generally under strength and firms spend less on Internal Audit when compared to businesses of equivalent size and complexity.
Information security remains a real risk for law firms. There has been an increase in the security incidents suffered by firms over the past year, with the percentage who had suffered some form of incident rising from 45% to 62% (across all law firms).
The incidence of cyber attacks is increasing. Given it is the data held rather than the type of organisation that seems to be the target of the attack, law firms need to remain vigilant.
Reliable continuity of the business and IT operations underpins the reputation of all law firms. However, only 32% of all law firms are only ‘very confident’ in their IT disaster recovery capabilities. This is concerning, given the high-level of dependency that the modern day law firm places on its IT systems.
Crisis management remains another issue that is highly relevant. Only 49% of senior management have participated in a training exercise to test the preparedness. The lack of clear leadership at these times could have a negative impact on the business.
The UK Corporate Governance code has significantly enhanced the requirements for listed Boards to develop and demonstrate a robust approach to risk management and internal control. Even though this guidance does not directly apply to law firms, we believe it represents good corporate governance and will begin to filter into other organisations in due course.