As 2019 comes to a close we can reflect on Cyber threats in the legal sector.
The banner headline for 2018/9 was “60% of Law Firms Reported A Cyber Breach, posing the question; How Best To Protect Your Business”
According to Law firm’s survey in 2018, 60% of law firms reported suffering an information security and data loss security incident in 2018.
Losing data through a Cyber attack has been identified as one of the biggest threats legal practices now face, and this Cyber threat applies to law firms of all sizes and practice. Being unable to access company systems, suffering a data breach or losing client funds can be devastating for both firm and client. The Solicitors Regulation Authority (SRA) reports that over £11million of client funds was stolen due to Cyber crime in 2016-2017 and the number of Cyber attacks in the UK is increasing.
Why is this such an issue for law firms?
By nature of the business, law firms hold huge amounts of confidential information, they move large amounts of client monies and are involved in many sensitive commercial negotiations. Moving legal services online will also add to the opportunity for Cyber attacks.
What are the most significant Cyber threats that law firms should be aware of and, how can they be mitigated?
According to the National Cyber Security Centre, there are four main cyber threats to law firms.
- This is the most common Cyber attack affecting law firms. A recent poll indicates that approximately 80% of law firms have reported phishing attempts over the last year and the amount stolen from law firms in the first quarter of 2017 was 300% higher than the previous year.
- Phishing is where criminals impersonate clients or senior members of the law firm to trick employees into paying invoices or transferring funds where the money ends up in the hands of the fraudsters. For example, in a busy office it can be all too easy for a criminal to intercept emails between a solicitor and home buyer, impersonate an interested party and convince them to change bank details during a house purchase, meaning that thousands of pounds will end up in the wrong bank account.
- According to these surveys, in 2018, 46% of firms reported a security incident relating to their own staff where there had been a loss or leakage of confidential information. Adequate staff training is essential in mitigating this risk. Staff need to be trained to look carefully at any communications relating to the transfer of funds and to have alternative strategies in place when asked to make changes to how funds are paid.
- Breaches are more likely to be an issue for those firms dealing with commercially or politically sensitive information.
- Hackers are most likely to initiate targeted attacks, acting on behalf of organised crime or nation-states. There is potentially a greater risk for firms working in sectors such as energy or life sciences, or in locations hostile to the UK where hackers may well have political or ideological agendas. There may also be an insider threat from disaffected employees.
- This is often a widespread and untargeted attack (aka drive-bye). Law firms may not be the intended target but can still caught up in the chaos. Ransomware will prevent a firm from accessing files or data until a ransom is paid.
- Even if a ransom is paid there is no guarantee that access will be restored, and a firm may become a target for future attacks. The best way to mitigate a ransomware attack is to ensure that all systems are kept up-to-date, especially patching, and all software and applications used by the firm are carefully monitored and white labelled.
Supply chain compromise
- This is not unique to the legal sector but a legal firm may be particularly susceptible due to their place in the supply chain, being at the point of money transfer for example. A firm can also be compromised if a third party data store or software provider is breached. A law firm must also ensure that its own third party providers have adequate Cyber security protection in place to mitigate this risk.
What should a law firm do next to protect themselves against their cyber risk?
The UK Government and the NCSC recommend that all legal firms consider undertaking Cyber Essentials plus (CE+) certification. Cyber Essentials is a simple but effective, government-backed scheme that, when properly implemented, will help you to protect your practice, whatever its size, against the most common internet based Cyber attacks. It also demonstrates your commitment to Cyber security.
This advice is followed by constant reminders about the importance of Cyber house-keeping, this is a task that too many companies fail to maintain consistent standards, and recognising this, these are some solutions that have been endorsed by the NCSC and GCHQ, such as Essential Eight.
In conclusion; CE+ and ISO 27001 provide subjective methods of tackling Cyber threats, which is a good thing; but not the end of the story, to achieve true control you need objective metrics that determine ‘real’ performance of your IT team, the security team or an external managed services provider, aka ‘marking their homework’.
That philosophy will dramatically reduce the number of Cyber occurrences, and the untold professional embarrassment a legal firm would face post-breach, plus the inevitable loss of clients and business.
Co-founder & CEO, Edge IT Group