but also opportunities
Over the past decade, information technology has played an increasingly critical role in maximising the effectiveness of legal firms and fee-earner productivity. In particular, digitised Document Management (DMS) and Practise Management Systems (PMS) have significantly improved firms’ overall responsiveness. The transition of legal applications to the SaaS model, such as iManage, NetDocuments etc., along with intrinsic integration with Microsoft 365 services and the continued consumption of IaaS solutions, means that legal IT teams have inadvertently become ambassadors for leading-edge hybrid Cloud models.
This undoubtedly enhanced their overall resilience through the COVID-19 lockdowns in 2020-21. Indeed, a number of firms that Exponential-e support were able to rapidly adapt to remote working, thanks to their established use of Citrix virtual apps and desktops, while others had already rolled out Microsoft or 3rd party Always-On VPN (AOVPN) technology.
At the same time, the world is becoming increasingly ‘data aware’, using the available data to gain deeper insights into business performance and identifying opportunities to optimise productivity and profitability. A comprehensive data strategy underpins and accelerates business growth, and legal firms across the globe are seeking to utilise their data to drive further growth and market penetration. This is driven by two types of data - structured and unstructured.
The global datasphere is tipped to exceed 175ZB in 2025, of which over 80% is unstructured data, i.e. image scans, media files, log files, Word and Excel files, etc. It is typically here where the greatest insights can be gained, but it is imperative that strong data governance is established to control and optimise this growing mass of data. Legal clients entrust firms with their confidential and sensitive data, and so protecting this is the foundation of firms’ brand reputation.
Along with the opportunities presented by the digitisation of document and client information comes a plethora of challenges that were once considered the sole responsibility of IT, but are now accepted as the responsibility of the whole firm. At the top of this list is the threat of cybercrime. It is estimated that by 2025, the global cost of cybercrime will likely exceed £8 trillion1 - a vast sum and more profitable than the entire global trade of illegal drugs. A key focus in recent cybercrime is not to steal data, but to render it unusable through crypto attacks, forcing the business affected to pay a ransom to decrypt its data - ransomware.
It is estimated that by 2025, the global cost of cybercrime will likely exceed £8 trillion
As firms’ data becomes more valuable, it becomes exponentially more valuable to cyber criminals, hostile states, and numerous other malicious entities, who can use it to extort ransoms, compromise intellectual property, or simply steal profits. Legal organisations across the world have become a focus for cybercriminals seeking to steal both money and valuable data - a trend that has persisted beyond the COVID crises of 2020-2021, due to the rapid adjustments to new ways of working having left glaring security holes behind.
The SRA recently carried out a review2,which identified:
75% of the firms they visited had been targeted by a cyber attack.
Of the remaining 25%, several firms reported that their clients had been directly targeted during legal transactions.
While 93% of firms used firewalls, 87% allowed external data sticks to be used freely.
Only 68% of the firms visited had DR systems in place. However, many of them acknowledged that such processes were stored on the same systems that would be targeted in an attack.
It is clear from these statistics that legal firms will remain a prime target sector for cyber criminals in the years ahead.
A second critical consideration is budget. The average cyber security budget sits between 20-25% of the total IT budget, but this is a drop in the ocean compared to state-sponsored cyber warfare. It is therefore reasonable to conclude that all firms must plan for failure, rather than failing to plan. Put simply, cyber threats may be prevented, but cannot be eliminated.
An effective protection strategy is certainly still critical, particularly when mitigating the prime threat of phishing attacks, but while there is a huge amount of knowledge and mature thought leadership relating to prevention strategies, there is less information about how firms can effectively recovery from an attack in the shortest space of time.
But accepting that ransomware attacks are an unfortunate inevitability opens the door to identifying key actions to reduce their impact, enhance firms’ ability to rapidly recover, and avoid irreparable brand reputation damage.
