For the majority of businesses, running a team without email is almost impossible. Reliance on email has been an established part of business practice for some time and is particularly important now as employees work remotely, sometimes even in different time zones.
Everyone has had the experience of sending an email in error to the wrong recipient. With pressure on employees to work harder and faster, it’s easy to think you’ve sent an email to the right person, only to then realise you’ve sent it to someone with a similar name. It’s embarrassing, and all too common. But for the legal profession, the stakes are much higher. It’s not just a simple mishap to send an email to the wrong person, or attach the wrong document, it could spell disaster.
By their very nature, law firms deal with sensitive and confidential information daily, including client financial data, medical information, insurance claims and many others. Given the sensitivity of this data, it is subject to strict compliance and regulatory requirements. But the fact that law firms must rely on email to conduct their role and share data with relevant parties is a risk in itself – communications or documents covered by legal professional privilege that are accidentally emailed to the wrong person could constitute a breach of confidentiality. Moreover, emails of such a sensitive nature are a potential gold mine for hackers.
Law firms will of course implement IT security across the company and devices, including authentication, encryption protocols and remote administration to wipe any lost devices, for example. But the nature of cyber crime means that hackers are constantly striving to stay one step ahead of security infrastructure and as such, law firms still remain vulnerable to cyber threats that focus in on email as a gap in the defence, such as hacking, malware and phishing.
Blame it on the business landscape
While eternal threats such as ransomware attacks garner much media attention, including Grubman Shire Meiselas & Sacks who had confidential documents stolen from their database, or DLA Piper, a law firm that fell victim to the NotPetyam malware infection, it’s fair to say that unintentional or insider security incidents don’t make the headlines quite as much. Yet they are both as dangerous as each other. In fact, human errors (including misdeliveries via email) are almost twice as likely to result in a confirmed data disclosure.
In a world where international communication is instantaneous, employees are under pressure to work harder, faster and smarter than ever before. In particular, with at least 20 of the UK’s top law firms using the UK’s Job Retention Scheme and furloughing some staff, employees are feeling the strain. As such, these human errors can be quickly attributed to such busy employees juggling deadlines and deliverables that don’t have the time, or attention, to double check each recipient’s email address is accurate. The business landscape of today fundamentally makes mistakes more likely.
Beyond embarrassment, what are the potential consequences of a misaddressed email? What if a Human Resources officer inadvertently divulges detailed information on your lawyer compensation plans? What if the confidential details of a case or client are revealed by mistakenly emailing the wrong ‘John’, thus disclosing either your strategy or personal information?
It’s impossible to predict what the precise fallout of a breach could be as the size and scale will differ for each incident. What we do know is that there are a number of variable consequences that will happen, including short and long term financial costs. The legal firm will firstly need to run a technical audit to find out what happened to cause the breach, identify gaps in security and process and manage any external communications for damage control.
Consequently, it’s likely that the firm will need to pay penalties for the breach and invest further in security protocols. As a result of the breach, it’s also probable that the company’s credit rating will drop and the cyberthreat insurance will rise, even with additional security measures in place.
But beyond financial damage, arguably it’s the harm to the firm’s reputation that will be the most painful. A breach, no matter how unintentional, will affect client trust, potentially resulting in lost contract revenue, devaluation of the brand and damaged client relationships. This spills into employees as well – will top talent want to stay at a firm that can’t be trusted to keep its data, and that of its clients and employees, secure?
Second chance to double check
Given the potentially severe consequences that can come from an email breach – as well as the legal requirements around protection of sensitive information – most law firms identify ‘protection and prevention’ as the best course for a cyber security strategy. Exploring this strategy further, there are three key components that teams should consider to minimise the risk of data theft and loss.
- Authentication and encryption: Hackers may try to attack your systems directly or intercept emails via an insecure transport link. Security protocols are designed to prevent most instances of unauthorised interception, content modification and email spoofing. Encryption and authentication, however, do not safeguard you against human errors and misdeliveries.
- Policies and training: Security guidelines and rules regarding the circulation and storage of sensitive information are essential, as well as clear steps to follow when a security incident happens. You must also ensure that employees are fully aware of them, and undergo training when they join the team—or after every significant security update. It is key that training is an ongoing programme with quarterly or monthly short, informative sessions delivered online. This reinforcement of the security messaging ensures that everyone is capable of spotting a phishing attack or knows how to handle sensitive information as they are aware – and reminded regularly of the risks involved.
- Data loss prevention (DLP): DLP solutions enable the firm to implement security measures for the detection, control and prevention of risky email sending behaviors. Rather than disabling time saving features such as autocomplete to prevent employees from becoming complacent when it comes to selecting the right email recipient, these solutions do not impede the working practices of users but instead gives them a critical second chance to double check.
This chance to double check means that users can be prompted based on several parameters that can be specified. For example, a lawyer exchanging confidential documents with other colleagues in the law department and external contract clients means that there could be numerous contacts within the TO or CC fields, as well as attachments going back and forth. Moreover, with colleagues sending dozens of emails each day, it’s not easy to remember which files contain sensitive information. The likelihood of a misspelled email address or replying to a phisher is therefore high, but with extra precautions in place – for example something like VIPRE’s SafeSend, they can be prompted to check the email addresses once more, remove any unwanted recipients that have cropped up and ensure that the attachment is appropriate for each contact.
The risk of revealing confidential information exists in every email that’s sent by your employees. However, by having a combination of all three key security strategies in place, including training, authentication tools and DLP solutions, the chance of these mistakes occurring can be mitigated.
Law firms must realise that sitting on confidential and personal information makes them a prime target for hackers and cyber thieves. Your cybersecurity strategy is not a one-time or occasional solution, so it’s therefore time to prioritise. Risks must be regularly assessed, innovative technology implemented and workforces educated to provide your business and clients with strong and effective security against cyber attacks.
– Andrea Babbs, Head of Sales UK and Ireland, VIPRE