In today’s global, digital world, data rules. Safeguarding intellectual property, financial information, and your firm’s reputation is a crucial part of business strategy. Yet with the number of threats and the sophistication of attacks increasing, it’s a formidable challenge. Given recent high profile events in both the private and public sector, information and cyber security has never been higher on the board agenda.
David Snell, Head of Law Firms Advisory Group, discusses the cyber security risks facing law firms with directors Raoul Rambaut and Fiona Davis.
David Snell: Welcome to the latest in a series of videos aimed at the legal sector. My Name’s David Snell and I lead PwC’s law firm advisory group. I’m delighted today to be joined by Raoul Rambaut and Fiona Davies, both of whom are in our risk assurance group. Raoul if I could start with you – what is cyber risk and why should law firms be concerned about it?
Raoul Rambaut: Well cyber risk David is the risk that information is going to be obtained illegally by third parties outside the organisation and it’s not just an issue for law firms. At the World Economic Forum it was identified in the top 5 risks actually facing UK organisations at the moment. For me really there are four key threats/sources for this: one is external governments, the second is organised crime, the third is terrorist organisations and actually the fourth, which is sometimes overlooked, is potentially an internal source that’s disgruntled, your classic disgruntled employee if you will. And in fact Jonathan Evans, the director general of MI5, recently said that actually the perpetrator could just as easily attack the law firm as well as the organisation that it’s actually trying to get information from, to be able to get hold of that data. So it really is an issue and GCHQ refer to law firms as the soft under belly of UK plc. So for me it’s absolutely an issue facing the UK wide, but actually law firms particularly and the main reason is, is they collate and hold a huge amount of incredible important market sensitive data.
David Snell: Fiona, what are the major challenges then that are facing law firms with regard to cyber risk?
Fiona Davies: David the challenges are many, but if I may just draw upon I think three of the key ones facing them. I think first and foremost culture is a massive point. Law firms tend to have very much a culture of trust, not only from a perspective of the integrity of the individuals that they employ, just going back to disgruntled employee perspective. But equally as well in terms of the level of formality in which they operate, in terms of the processes and controls etc. in place around them. So this entrepreneurial type culture is not necessarily conducive to the level of vigilance that is required on an ongoing basis. Then secondly I would move to the structure of the organisation, we’re seeing increasingly international structures – with that obviously comes increased risk, yet quite startlingly what we’re finding is that many law firms are unaware of the local risks faced through at the network and equally are unaware of the level of granularity around the processes and controls in place to actually address those risks. So it’s a significant challenge. And last but no means least, regulation and compliance. Evidently this year we’ve seen the role of COFA/COLP become effective and with that they had the broad ownership of risk. What we find is they don’t necessarily have the support mechanisms to support them in fulfilling their roles. So think for example that less than half of law firms tend to have an internal audit function and with that, that tends to be a one-man band in terms of coverage of the whole network and ironically as well their risk coverage tends to be very much focussed on financial risk, compliance risk, from a know your client perspective, but only a small margin actually touch upon IT risk, which in itself can be one of the most significant reputational risks that could face them today.
David Snell: That’s great. So I know what it is and I know what the challenges are. Raoul, what should law firms be doing about this?
Raoul Rambaut: Well in my experience David there are three things that they could look at pretty much immediately. First of all is the client on-boarding process, because often we see clients being taken on board, but have actually requested certain requirements around how that their data is going to be managed going forward by that particular law firm. Its captured at the time through the procurement process, but then it’s not really monitored further down the line and typically you find law firms having signed up to certain quite important requirements which they either don’t know they need to satisfy going forward, or equally can’t satisfy going forward. So for me that is a real area of focus, particularly if they’re dealing with government organisations. The second one I would look at is a global law firm need to be able to satisfy global clients on a global basis. So sharing information across the global network is critical. As Fiona said, it will also potentially lead though to risk. So understanding that risk is essential, we often see organisations with strong controls in a central hub, such as London, Paris, New York or Sydney, but actually in some of the further firms within the network, you might not see controls either being in place, or actually with the band width to be able to see those controls being monitored appropriately. So for me I would absolutely focus on those two. And the third one, which I think is really essential, is understanding what data you have where. At the end of the day, it’s the data that these people want, so knowing what you have, what value it has to those individuals and where you store it, is absolutely critical to be able to mount a decent strategy of defence.
David Snell: So if I can summarise, obviously a very important topic, one that needs to be given more priority than I think it has perhaps to date, and one where there’s a need for continued vigilance throughout your organisation and it’s been very interesting Raoul and Fiona, thank you both and thank you to the audience for listening. Thank you.
People make critical security decisions every day. Disappearing organisational boundaries mean that you can no longer rely on technology alone. It only takes one bad click to open the door to threats. Make sure your people understand security and act securely.We can help you foster secure behaviours by shaping your culture and designing processes, systems and roles with human vulnerability in mind.
Technology underpins your business. In the digital age you can’t do without it, and as your business changes so should your technology. While embracing the new, understand the need to protect vital information and legacy technology against cyber threats. We can help you understand the inherent risks of your technology and how to mitigate them.
Organisations exist in an increasingly complex digital ecosystem. We’re sharing more information than ever before. You need to manage your exposure effectively so only those who should have your information do so. We can help you build an agile risk management framework, adept at keeping pace as your collaborative networks evolve.
Success in the digital age means understanding the opportunities it presents, while managing the inherent risks. Some risks are worth taking, but if you’re struggling to manage the downside, you won’t be able to take advantage of the upside. We can help you consider your interactions within the digital world and assess where and how they impact your past, present and future.
Cyber attacks are now commonplace. Resilience means being able to react quickly and effectively when compromised. Being aware of and prepared for threats will help you prevent incidents and react to them quickly enough to reduce their impact. We can help you protect what’s important, detect intruders, and minimise your exposure when you are compromised.
Addressing cyber threats helps you prioritise what matters most.Being prepared for changes in the digital era will help you get your priorities straight. A ‘cyber savvy’ governance and management structure means you can prioritise opportunities and know where you can afford to take risks. We can help you to recognise where your key assets are, which are often intangible, and align them with your priorities.
Recent events have often erroneously been attributed to technology issues, and while technology is one of the key components to better information and cyber security, equal attention needs to be paid to people & organisation, culture and processes.
Digital technology provides great potential in helping organisations grow, but with opportunities come very real and increasing cyber security threats. Indeed nine out of ten UK organisations had a security breach in the last year, and the UK government rates cyber attacks as a Tier 1 threat to the nation.
We know that your reputation is key and we understand that you want confidence in your operations and environment to allow you to unlock and prioritise opportunities, and protect what matters most to you and your business – the last thing you want is a cyber attack that interrupts your operations.
When thinking about whether to call on us for help, ask yourself these questions: