The Expert View: Keeping Ahead of the Hackers

Security incidents strike each organisation uniquely, even within the same industry, said Mike Perez, Head of Professional Services at Ekco, opening a Business Reporter breakfast briefing at The Langham Hotel in London.

 

He told attendees at the briefing - all senior cyber security experts from the legal sector - that not everyone experiences an incident the same way, nor shares the same pain points, so it is important to develop a plan specific to your organisation. One thing all law firms have in common, however, is that they must have an ‘assumed breach’ mindset.

 

The Evolving Threat Landscape

Picture this: a busy lawyer receives an email, apparently continuing an existing chain of correspondence, that contains a link. The link looks legitimate. Why wouldn’t they click it? "People short on time will often click a link that’s emailed to them," one attendee said. But attackers now work to compromise third parties to deliver malicious links within existing email threads, making traditional detection nearly impossible.

 

Finance teams face equally sophisticated threats. Fraudulent invoices arrive via compromised email accounts, testing even robust verification processes. "Do you have the controls in place to ensure your finance team checks that the invoice is valid, for example, calling the number in the CRM system?" asked one delegate. Calling the number on the invoice itself offers no protection because attackers often change these details.

 

Legacy systems compound these vulnerabilities. Data sprawls across disparate systems, making it difficult to track and protect. "You need to understand where your most sensitive data is - the ’Crown Jewels’ - and put controls around that," said one participant.

 

Response and Recovery Readiness

The Crowdstrike incident in July 2024, when a misconfigured software update disrupted millions of Windows computers across the world, was an uncomfortable demonstration that organisations do not completely control their IT infrastructure, said Mr Perez. Organisations must consider how well prepared they are to function without IT? For many, this could mean reverting to paper processes – which might be unfamiliar to many workers.

 

One solution to at least some of these challenges lies in strict access control. Zero trust models limit risk by allowing only trusted devices to access company resources. Yet this creates new challenges. "If you ban personal devices, you will often see that they email files to their personal accounts to transfer to personal devices," one delegate warned. "This increases risk."

 

Practice makes perfect - or at least prepared. Regular breach scenarios - ideally quarterly - build the muscle memory essential for effective incident response. Can you reach senior leadership without access to your systems? Who contacts the regulator and when? Preparing answers to questions like these before crisis strikes will save time during an emergency.

 

Supply chain vulnerabilities demand attention. "Third parties that don’t work in the legal sector do not have our awareness of the typical threats," said one attendee. Regular audits become essential as processes evolve and new tools emerge, though overzealous scrutiny can strain relationships. Some firms outsource this challenge entirely, delegating supply chain management to specialist third parties.

 

The value of certifications was broadly accepted, with most valuing them as proof of basic controls and leverage for board-level investment, but others pursue them only to satisfy client demands. However, all agreed that they have value in cyber insurance - either for securing coverage or reducing premiums.

 

Government contracts often require cyber insurance, but attendees said coverage is growing increasingly expensive and comes with restrictions. One attendee said: "Your claim might be rejected because of a poor process by one of your third parties."

 

Building Organisational Resilience

Technology alone cannot secure an organisation. A culture of risk awareness must guide behaviour at every level. The traditional boundaries between IT and cyber security are also blurring, demanding aligned strategies across data, privacy and security teams. "CIOs have to ensure they have the budget to protect everything," stressed one participant.

 

Artificial intelligence was seen as both challenge and opportunity. While some vendors simply rebrand existing features as AI, genuine advances are emerging. "In time AI will provide assistance, especially to L1 analysts," predicted one attendee, "giving them more information and helping them make better decisions."

Yet amid the tech talk, human factors remain paramount. Simple advice still carries weight: pause before acting, especially regarding payments. People make mistakes when they rush, and attackers know it.

 

Closing the briefing, Mike Perez said the fact that incident response dominated discussions showed nobody makes the mistake of assuming absolute security. In an increasingly connected legal sector, success requires balancing technological controls with human factors, while maintaining effective relationships across a complex ecosystem of partners and suppliers.