Cyber security, risk management and innovation?

Cyber security can drive innovation in legal services as well as protect professional privilege, says Timothy Hill, technology policy adviser at The Law Society of England and Wales

Legal technology is variously a must-have, a source of competitive advantage, and a driver of efficiency and innovation. But what about cyber security?

According to David Prince, delivery director of cyber security at Schillings, legal technology can be all three. Schillings proved the point by moving from being a law firm to becoming an alternative business structure or ABS which combines risk consulting, law and IT security to protect client reputation. Mr Prince even argues that a cyber breach can be an opportunity.

Most law firms will not seek to emulate Schillings. Some, however, would agree with Cabinet Office Minister Francis Maude’s comments at the launch of the first UK-wide Computer Emergency Response Team (CERT-UK), that “cyber security isn’t a necessary evil: it’s both an essential feature of , and a massive opportunity for, the UK’s economic recovery”.

Mr Maude pointed out that historically it has always been places where people come together to do things – transport links, communication routes, marketplaces – that have attracted criminals.

This was one reason the Law Society worked with the Institute of Chartered Accountants, the Cabinet Office and others to produce a Cyber Security in Corporate Finance guide. Corporate finance transactions are a “place” where cyber criminals know that potentially vulnerable professional advisers of all kinds come together. Indeed, lawyers routinely engage in sensitive affairs that attract prying eyes. It was the discretion as well as the expertise of solicitors that built their reputation in the 19th century.

Lawyers want to be recognised as trustworthy in cyberspace

Maintaining this reputation in a 21st century of pervasive electronic networks and increasingly permeable boundaries between industries, professions and roles will be challenging. To succeed, solicitors must learn from and share with each other and with other professions and disciplines.

The Law Society is promoting an important component of CERT-UK, the Cyber Security Information Sharing Partnership (CISP). This allows members to exchange cyber-threat information in real time, to network, and receive support from expert government and industry security analysts. Law firms are signing up to CISP in growing numbers. Lawyers also want to be recognised as trustworthy in cyberspace.

The announcement of the government’s Cyber Essentials Scheme, identifying essential internet security controls for all types of organisation, is therefore of interest. It aims to reduce the risk of opportunistic attacks, the most common form of cyber attacks.

The scheme has five controls: boundary protection, secure configuration, user access, malware protection and patch management. From summer 2014, bronze, silver or gold-tier certification against these controls can be awarded and displayed. Most cyber attacks known to the government “would have been mitigated by full implementation of the controls”, it says.

Which leaves the attacks that do succeed and Mr Prince’s intriguing assertion that a breach can be an opportunity – but only if you’re prepared to respond.

Does your law firm have a reputation management plan as well as a business continuity plan? Is cyber security factored into your reputation management and business continuity plans? How quickly can it be implemented? What advice would you give to clients about their own plans?

Questions like these are becoming increasingly relevant and demonstrate that cyber security can be a driver of innovation in legal services while helping to protect legal professional privilege. It is not just a back-office IT function.