60% Of Law Firms Reported A Cyber Breach In 2018 – How Best To Protect Your Business

According to the Price Waterhouse Cooper law firm’s survey in 2018, 60% of law firms reported suffering an information security and data loss security incident in 2018.

Losing data through a cyber attack has been identified as one of the biggest threats legal practices now face and this cyber threat applies to law firms of all sizes and practice. Being unable to access company systems, suffering a data breach or losing client funds can be devastating for both firm and client. The Soliciotrs Regulation Authority (SRA) reports that over £11million of client funds was stolen due to cyber crime in 2016-2017 and the number of cyber attacks in the UK is increasing.

Why is this such an issue for law firms?

By nature of the business, law firms hold huge amounts of confidential information, they move large amounts of client monies and are involved in many sensitive commercial negotiations. Moving legal services online will also add to the opportunity for cyber attacks.

What are the most significant cyber threats that law firms should be aware of and how can they be mitigated?

According to the National Cyber Security Centre, there are four main cyber threats to law firms.

  • Phishing is the most common cyber attack affecting law firms. A recent poll indicates that approximately 80%  of law firms have reported phishing attempts over the last year and the amount stolen from law firms in the first quarter of 2017 was 300% higher than the previous year. Phishing is where criminals impersonate clients or senior members of the law firm to trick employees into paying invoices or transferring funds where the money ends up in the hands of the fraudsters. For example, in a busy office it can be all too easy for a criminal to intercept emails between a solicitor and home buyer, impersonate an interested party and convince them to change bank details during a house purchase, meaning that thousands of pounds will end up in the wrong bank account. According to the Price Waterhouse Cooper law firm survey, in 2018, 46% of firms reported a security incident relating to their own staff where there had been a loss or leakage of confidential information. Adequate staff training is essential in mitigating this risk. Staff need to be trained to look carefully at any communications relating to the transfer of funds and to have alternative strategies in place when asked to make changes to how funds are paid.
  • Data breaches are more likely to be an issue for those firms dealing with commercially or politically sensitive information. Hackers are most likely to initiate targeted attacks, acting on behalf of organised crime or nation states. There is potentially a greater risk for firms working in sectors such as energy or life sciences or in locations hostile to the UK where hackers may well have political or ideological agendas. There may also be an insider threat from disaffected employees.
  • Ransomware is often a widespread and untargeted attack. Law firms may not be the intended target but can still caught up in the chaos. Ransomware will prevent a firm from accessing files or data until a ransom is paid. Even if a ransom is paid there is no guarantee that access will be restored and a firm may become a target for future attacks. The best way to mitigate a ransomware attack is to ensure that all systems are kept up-to-date and all software and applications used by the firm are carefully monitored.
  • Supply chain compromise is not unique to the legal sector but a legal firm may be particularly susceptible due to their place in the supply chain, being at the point of money transfer for example. A firm can also be compromised if a third party data store or software provider is breached. A law firm must also ensure that its own third party providers have adequate cyber security protection in place to mitigate this risk.
What should a law firm do next to protect themselves against their cyber risk?

The UK Government and the NCSC recommend that all legal firms consider undertaking Cyber Essentials certification. Cyber Essentials is a simple but effective, government-backed scheme that, when properly implemented, will help you to protect your practice, whatever its size, against the most common internet based cyber attacks. It also demonstrates your commitment to cyber security.

From sole practitioners to international corporate firms, Cyber Essentials will help you avoid the consequences of malware, ransomware and phishing attacks. The scheme sets out five controls which are easy to implement, and are designed to guard against these attacks.

  1. Use a firewall to secure your Internet connection
  2. Choose the most secure settings for your devices and software
  3. Control who has access to your data and services
  4. Protect yourself from viruses and other malware
  5. Keep your devices and software up to date

Once implemented you can apply for certification to demonstrate that the controls have been applied correctly. Cyber Essentials certification can help your firm in many ways:

  • attract new clients with the promise that you have cyber security measures in place
  • reassure clients that you take cyber security seriously
  • be listed on NCSC’s Directory of organisations awarded Cyber Essentials certification