As our reliance on digital technology grows, so too do threats to cybersecurity across a number of different sectors and geographies. Tackling these threats effectively is crucial but dealing with cyber crime remains challenging.
PwC’s Law Firms’ Survey 2022 highlights the cyber threats and challenges that firms are currently facing within the legal sector. In addition, our recent Global Digital Trust Insights survey and the 26th Annual CEO Survey prominently feature CISO perspectives when it comes to cyber security. We explore the trends that will have the biggest impact on Law Firms in 2023.
Ransomware remains the most significant cyber threat to organisations across the legal sector. Between 2020 and 2021, the number of ransomware victims whose data was exposed on leak sites nearly doubled from approximately 1,300 to 2,435 with figures for 2022 illustrating the same trend. The leaking of stolen data, or the threat to do so, became standard procedure for the majority of high profile threat actors adding privacy, regulatory, and reputational risks to the crisis of business disruption.
Other significant cyber threats are Business Email Compromise (BEC) and Supply Chain Compromise. BEC is a form of phishing attack using social engineering that often exploits the trust between business partners or businesses’ customers. The resulting losses can lead to the exposure of confidential or sensitive personal data. Digital transformation and complex supply chains present ongoing challenges to organisations and regulators as threat actors continually evolve their methods of attack.
90% of UK senior executives ranked increased cyber risk due to digital transformation as their biggest cyber security challenge since 2020
PwC’s Cyber Security Outlook
Another threat that law firms should be aware of is insider risk. Data breaches in this area are often attributed to human error and negligence.
77% of Top 100 law firms experiencing incidents unintentionally caused by staff and 8% of firms having experienced an incident caused by a malicious insider
There is a concern that the current cost of living crisis may increase deliberate insider risk as this could provide a financial motivation for them to commit fraud. To mitigate this, organisations need to build a strong cyber security culture with improved governance, effective policy, comprehensive training, a cyber-savvy workforce and innovative technology to better deal with cyber threats.
Cyber risk is increasingly moving up the regulatory agenda as our reliance on complex digital technology grows. The UK government’s cyber strategy emphasises the importance of companies meeting their corporate governance responsibilities for greater accountability and transparency with regards to cyber risk.
While the regulatory landscape seeks to protect against cyber threats, there remains an onus on organisations to take responsibility for their own risk exposure. To do this effectively, businesses need to understand what to do in the event of an incident by running simulations of cyber attacks and proactively managing their cyber risks to improve resilience.
Obtaining cyber insurance is another obstacle for businesses as the cost of insurance is rising and terms are continually changing with more onerous requirements and additional exclusions. This makes it harder for companies to secure cyber insurance and to determine whether a policy is appropriate for their needs or not. Despite these challenges, becoming insured should remain a priority.
Geopolitical pressures provide an additional challenge as organisations face threats from third parties that they may not have previously considered. Businesses should take the time to properly understand both their own threat profile and the geopolitical risks that pose a threat. According to the National Cyber Security Centre (NCSC), the most consistent cyber threats are currently coming from Russia and China.
Another potential risk for law firms lies in transformation challenges, particularly for firms that are yet to transition to cloud or are slow in adopting new ERP or other systems. These firms may still rely on old legacy systems, increasing their vulnerability to cyber attacks.
The global cyber skills shortage is also problematic for organisations trying to recruit and retain high quality talent responsible for cyber security. According to the Law Firms’ Survey 2022, firms are increasingly appointing a dedicated point of contact focused on cyber security. Without the necessary cyber skills in the market, organisations are on the back foot in terms of understanding cyber threats and taking responsibility for their risk exposure. This makes it difficult to understand where vulnerabilities lie and to build a strong cyber security culture.
As the cyber threat landscape continues to evolve, organisations need to manage their cyber risk and regularly review their threat profile for changes. This is particularly key for larger organisations with complex supply chains and those handling sensitive data- such as law firms. By ensuring cyber risk is understood and managed, organisations can increase their resilience and respond effectively in the event of an attack.
Cyber Security Partner and Cyber Business Leader, PwC United Kingdom
Tel: +44 (0)7808 028337