Cyber risk management and hybrid working

Kerrie Machin
Partner at Mitigo Group

By Kerrie Machin of Mitigo Group

In the second instalment of our ‘Ask the Expert’ series, sponsored by Insight Legal, Kerrie Machin, of cybersecurity experts Mitigo Group, looks at how hybrid working can lead to additional cybersecurity risks for growing law firms.


Q: We are a growing law firm with two offices and 23 staff.  We have a hybrid working policy.  I am getting increasingly worried about cybersecurity, particularly as this is not an area of expertise for me or anyone within the firm.  What is the best way to reduce our risk?


A: Ever since the Covid pandemic forced most of us to work from home, the trend for remote or hybrid working has continued to remain popular. And whilst remote working is certainly convenient, it presents additional risk which, if left unchecked, can have devastating consequences for both firms and their clients. Unfortunately many have only come to realise this once it’s too late.  So why is this?

Simply put, cyber criminals thrive on the exploitation of vulnerabilities.  As firms change the way they work, be that remote working, switching from “on premise” servers to the cloud or simply adding more technology which can increase efficiency, this all adds complexity.  It is this complexity of associated risk that provides criminals with more opportunity, and they quickly develop new and highly sophisticated methods to extort millions of pounds from firms and their clients.

It is no surprise that partners in law firms are worried about their cybersecurity, especially when it seems that every day another story does the rounds about how a firm has been the victim of a ransomware attack or that a client has paid hundreds of thousands of pounds to a fraudulent account in a conveyancing transaction. At this point, you might be forgiven for considering shutting up shop, but that really doesn’t need to be the case.

The single biggest reason that firms are victims of cyberattacks is because they don’t fully understand their risk and if risk is unidentified, it is impossible to control.  So where do you start?  The answer is simple. Engage the services of someone who understands cyber risk to carry out a cybersecurity risk assessment. Contrary to popular belief, cyber risk management is not a job for your IT provider, instead it is a job for proper cyber risk management specialists.  These are people who understand how cyber attackers work, how they get into your systems and what they do once inside.  IT providers play an important role in ensuring the day-to-day functionality of IT systems but cyber risk management is a sophisticated standalone discipline, where understanding your firm’s business structure and processes, the current methods of attack taking place in the legal sector, and your legal and regulatory obligations is critical.

Aside from expertise, cyber risk management specialists also bring independence.  The more independent the review, the more confidence you can have in it. Having your IT providers mark their own homework is simply a non-starter in terms of good risk management.

So how do cyber risk management specialists go about their work? Well, it surprises some people that a cyber risk assessment seldom starts with looking at technology. If you consider that human error is the biggest cause of most successful cyber-attacks, then naturally “people” need to be the starting place.

Understanding the behaviour of people; how they work, where they work, what they use, how they connect to data/systems and what they are allowed to do is imperative.  Once you establish this risk, you can then look at what technology you have that can control as much of it as possible, but it is a common misconception that technology can control all behavioural risk, it cannot.

Of course, a cyber risk assessment must address the state of your technology, and should typically include scanning, penetration testing, assessing device configuration, remote connections, firewall and antivirus configuration, password policies, permissions and access management, and security configurations on platforms such as 365 and case management systems, and so much more.

It is important to understand that the risk assessment is not the end of the process. It is the starting point.  Once completed, you’re now in a position to put the necessary controls in place and whilst this includes the correct configuration of technology, you will also need to produce and implement suitable policies and procedures which fit your business, and provide cyber awareness training to your staff.  In addition, you will need a regime of regular testing which proves that your controls are, and remain, effective.  This is where good governance is required.

One final point. Cyber risk management is a board level matter. Senior business leaders in law firms have a responsibility to manage cyber risk, to safeguard sensitive and confidential client and business data, maintain operational resilience, and protect their partners’ financial interests. The ICO and SRA require this too. If a firm has a serious cyber breach, it means that someone at the most senior level has failed to understand what was required to protect their business. Getting a specialist to provide independent assurance will come at a cost, but surely the alternative doesn’t warrant thinking about.


Mitigo’s experience in protecting professional services firms and other businesses enables Kerrie to highlight common vulnerabilities and explain how to implement a proportionate risk management framework. Kerrie believes that the challenges of cybersecurity, business resilience and legal & regulatory compliance, needn’t keep business leaders awake at night. It’s just a matter of matching the right solution to the problem. He has spent the last two decades helping businesses identify their exposure to risk, and his keen eye for detail has enabled him to deliver robust packaged solutions that provide real protection – allowing them to get on with doing what they do best.


Loading animation