Safeguard Your Law Firm Against Cyber Criminals

Head of IT and Security Specialist at Lawyer Checker, Jennifer Williams, is passionate about helping law firms beat the cyber criminals.

She talks below about trends in the industry, what happens if businesses do not have sufficient cyber security measures in place, what can be done to protect your company and the future of cyber security.

What trends in cyber attacks have you seen in the last two years?

Cyber attacks are becoming ever increasingly low tech, but more wide ranging. According to the SRA, in the first six months of 2019, law firms reported a loss of £731,250 of client money to this type of crime. The old image of the master hacker nerd in a bedroom tapping into networks of huge organisations for fun and prestige is no longer relevant. There are now huge organised crime gangs, not only targeting large businesses but individuals and SMEs. According to HM Government, there are around 1,400 criminal organisations actively targeting the legal sector at this very moment. They are no longer using traditional technical hacking techniques, but relying on social engineering to persuade someone to divulge information, click a suspicious link or perform some other action, which causes the user to effectively ‘self-compromise’.

What is the minimum level of cyber security a law firm should have?

Good Cyber Hygiene isn’t difficult or expensive to implement. Firms should at least adopt the Government’s aptly named Cyber Essentials standard. This covers basics such as proper user management, patching of operating systems and software and closing of unused network ports etc. Staff training is essential and given that phishing and malicious emails are now the most common opener to a cyber attack, in terms of priority, staff training should be top of the list followed by technology. The next step is to have a well drilled incident response procedure. This can be the difference between a cyber attack being completely debilitating to a company or operations being restored swiftly and with minimal reputational damage.

What are the consequences of not having adequate cyber security measures in place?

The consequences are that you will inevitably suffer a breach. It’s not a case of if, but when you will have a cyber attack. Statistics show that businesses are now more likely to suffer a cyber attack than not to suffer. The resulting impact of cyber attacks vary by the type of attack used and the individual business. Technical attacks such as malware may be nothing more than an irritant, maybe by disabling certain elements of infrastructure or making equipment behave strangely. They may also be used to expose massive volumes of personal data, resulting in having to report breaches to the Information Commissioner (ICO), customers and even press. The ICO can fine firms if they do not protect personal data. These fines can be up to £20 million or 4% of a firm’s turnover, whichever is higher. The reputational damage of such attacks is immeasurable, the costs can be eye-watering and some brands never recover.

How does a business know if it is under cyber attack? What are the early warning signs that a company is under attack?

The reality is that most businesses don’t know they’ve been attacked for quite some time after the event. Around 3 months is the average. Each attack can differ greatly, but the warning signs are anything that is out of the ordinary. Of course, detecting ‘out of the ordinary’ activity means knowing what is ‘normal’ activity for your business and this is where your IT department is vital.  If a UK based user suddenly logs on from another country, this would be a warning flag. If there are admin actions at a time when no admins are working and sudden drop in website performance for example – these are all indicators that an attack may have happened. The more familiar you are with your infrastructure, the easier these events are to spot and analyse.

Businesses store data on-site or in the cloud. What are the pros and cons of each storage option in terms of cyber security?

With on-site data stores you remain in complete control of your data and its location which is great from a GDPR perspective. For me, that’s where the advantages end. I personally would rather have Microsoft who invest billions in cyber security, look after my data in one of their high-tech data-centres, than an employee on site on a potentially out of date server. I sleep much better knowing that virtual servers are always patched, are protected from natural disasters through a huge network of geo-replicated services and I can scale up and add to them quickly.

Looking ahead to the next five years, what do you see as being most concerning in cyber security?

For me the most concerning issue is how far behind certain industries are considering the pace of change in the cyber risk industry, resulting in the cyber criminals always being one step ahead. I’m amazed at how few organisations take actions like implementing Cyber Essentials and training their staff. Law firms in particular seem to have accepted that they need to take cyber security seriously but, so few have taken steps to implement even the most basics of email security protocols such as DMARC or even cyber security awareness training for staff.