Local News Opinion Technology Raising the Bar on Cybersecurity: A Competitive Advantage for Law Practices Aguinaldo Belgrave14/05/202401.3K views friend of mine, an up-and-coming lawyer, lamented how increasingly difficult it was becoming for some lawyers to find work outside of a few well-established local firms in Barbados. She noted that these firms seem to be enjoying a softer legal market. While I am not, by any stretch of the imagination, an expert or specialist in the legal environment, my field inevitably involves interactions with lawyers. During our conversation, we discussed some IT-related issues she was experiencing. Eventually, the conversation turned to the cybersecurity measures at her chambers. Suffice to say, her response was not surprising. She was unaware of any cybersecurity policy or programme in place at her firm. This is noteworthy given the ultra-sensitive nature of law practices, regardless of their size. However, around the same time, I was chatting with a law partner from one of the leading law firms and his response was quite the opposite. He said, “Steven, our law firm undergoes extensive cybersecurity audits yearly, conducted by representatives from our most prized clients. We have no choice if we want to retain their business.” I guess those clients were the ones that keep them in their well-tailored suits. While I cannot assert that this dichotomy directly explains why some lawyers find it easier to obtain work than others, the stark contrast in their situations was too significant to ignore. It prompted me to explore the potential role of “cybersecurity maturity” — an organisation’s capability to defend against cyberattacks — and its impact on competitiveness in the legal sector. Three key extra-regional markets for local law firms are the United States, Canada, and the United Kingdom (UK). The United States’ National Institute of Standards and Technology (NIST) has developed a globally recognised cybersecurity framework. The framework provides guidelines on how private sector organisations can assess and improve their abilities to prevent, detect, and respond to cyber attacks. While Canada does not have an equivalent standard, due to the close economic ties, the NIST Cybersecurity Framework is often adopted by larger businesses for international compliance. However, Canada has enacted the Personal Information Protection and Electronic Documents Act (PIPEDA), a federal privacy law that mandates how businesses should handle personal information during commercial activities and requires them to implement appropriate security measures. The UK, arguably our most coveted export services market, has recently introduced Cyber Essentials—a government-backed certification programme managed by the National Cyber Security Centre (NCSC). This programme ensures organisations maintain a foundational level of cybersecurity. A recurring theme across many data privacy and cybersecurity frameworks is their focus on risk mitigation, especially regarding third-party risks, which are external factors beyond a business’s immediate control. A key strategy in managing these risks includes performing third-party risk assessments and cybersecurity audits. Such as the one the law partner of the established law practice undergoes yearly. This global phenomenon on cybersecurity might explain why some law firms struggle to attract the level of work they desire. During visits to several law firms, I’ve noticed a significant issue related to organisational structure. While money is undoubtedly a crucial factor, the structure often lacks clarity. Law practices generally fall into one of three categories: the individual practitioner, the law chambers, and the law firm. Among these structures, law firms typically have executive administration to manage operational aspects of the practice, whereas law chambers consist of independent lawyers who share resources but operate autonomously. This raises questions about who is responsible for cybersecurity in such a decentralised setup. In such busy environments, cybersecurity often falls low on the priority list, sometimes ranking too low in importance. Given that many law practices are structured as chambers, I can offer a couple of practical suggestions to enhance their cybersecurity. First, invest time in cyber awareness training for yourself and your legal assistants. Second, pool resources to invest in technology that protects your office network, such as firewalls with email security components. I’ve visited too many offices that lack even these basic defence systems. Thirdly, restrict access to sensitive data to only those personnel whose roles require it, thereby safeguarding critical information – a critical requirement of our own Data Protection Act. As an additional measure, implement Multi-Factor Authentication (MFA) on all systems that handle the firm’s data. MFA enhances security by requiring extra verification from users, significantly reducing the risk of unauthorised access due to compromised usernames and passwords. I often say in my cyber awareness training sessions, that the biggest third-party security risk in Barbados comes from law practices followed by medical practices, and that’s primarily because many aren’t performing the basic tasks required in one of the most sensitive business environments. Consider this: lawyers know all your legal secrets, but are they doing everything they can to protect them in our digital age? In many cases, the answer is no. steven@dataprivacy.bb