This is not the case, DLA Piper senior associate Alexandra Dagger says. Instead, businesses of all shapes and sizes – including SME firms – are subject to and at risk of exposure to cyber security threats such as encryption issues.

“SMEs generally face threats from phishing and individuals posing as customers or third parties to obtain information to compromise an SME’s business. In comparison, the big end of town generally [faces] more sophisticated attacks in addition to threats facing SMEs,” she told Lawyers Weekly.

“Size generally affects the number of security investments an organisation or business has in place to protect from, and respond to, cyber security threats.”

SME law firms will be facing the same threats as those at the big end of town, and thus need to enact similar measures to address these threats, including education of personnel and putting in place appropriate processes, systems and procedures to protect against threats, Ms Dagger continued.

“Despite an increased awareness of cyber security matters, due in part to the increased media attention surrounding data breaches of larger high-profile organisations, professional service firms are still seeing the majority of their engagements arising from a data breach incident or similar,” she said.

“No organisation will ever be immune from a data security incident occurring but there are certainly steps that can be taken to minimise the likelihood of, and impact of, a cyber security incident occurring.”

“In this regard, organisations have some way to go in terms of engaging specialist and experienced professional service firms from the outset prior to an incident occurring by conducting ‘health checks’ of their systems, processes and procedures,” Ms Dagger added.

VIEW ALL

There are important lessons that firms in this sphere can learn, she advised.

“Educating clients on cyber, security and privacy matters is key, including by incorporating appropriate contractual protections in agreements with suppliers and customers as well as ensuring clients have appropriate internal policies, procedures and processes in place to respond to such matters,” she said.

“It is also vital organisations understand what data they collect and hold as too often organisations are undertaking a data mapping exercise following a cyber security incident when tensions are high and time is of the essence.”

“Finally – and a step many organisations often forget – is that once such matters are theoretically understood, it is important that organisations actively role-play how they would respond to different types of incidents so that they are prepared when such incident occurs in real life.”

In the event of a data breach, Ms Dagger noted, the ability to effectively and efficiently mobilise a skilled team of privacy, technology and litigation experts on a national and global scale and then connect clients with professional service firms that can provide additional services such as investigation, identify threat and breach notification services, will be paramount.

Furthermore, firms must be cognisant of how best to wade through interactions with the public, regulators and media when faced with cyber threats or data breaches, Ms Dagger concluded. 

“By mobilising a targeted team of individuals comprising: (i) decision-makers within the client’s business; (ii) privacy, technology and litigation experts; and (ii) professional service advisers, law firms are able to open the lines of communication to assist the client in providing the public, regulators and the media with timely and informed information in what is generally a rapidly evolving situation,” she posited.

“Law firms can also assist by facilitating the sharing of experiences in responding to, and dealing with, these types of threats and incidents. This assists in creating a high degree of trust and shared learning experiences so that people have the knowledge and experience to deal with emerging threats.”