rimom - Fotolia
Cyber criminals have stolen more than £11m from clients of legal firms in the past 12 months, with 60% of legal firms reporting attacks – up from 42% in 2014.
These are the top findings of the first report into the vulnerability of legal firms to cyber attack by the UK’s National Cyber Security Centre (NCSC) in collaboration with industry, the legal sector and law enforcement.
Legal firms are top targets for cyber criminals because they hold sensitive client information, handle significant funds and are a key enabler in commercial and business transactions, the report said.
According to the NCSC, the report is part of its mission to raise the cyber maturity and resilience of law firms and is aimed at encouraging industry-wide adoption of cyber security best practice.
“Like all businesses, law firms are increasingly reliant on IT and technology and are falling victim to a range of malicious cyber activity,” wrote Ciaran Martin, CEO of the NCSC, in the foreword to the report.
“Losing access to this technology, having funds stolen or suffering a data breach through a cyber attack can be devastating, both financially and reputationally, not only for the firm but also its clients.”
Martin said that as well as looking after the IT systems of UK government, the NCSC is committed to supporting the legal sector, and he urged IT leaders in the sector to implement the guidance outlined in the report.
Christina Blacklaws, president of the Law Society, said that as data controllers, law firms handle significant volumes of confidential and sensitive information and client monies as part of their daily work.
“In the post-GDPR world and as the sector delivers and transacts more online, it is vital that we get a common view and understanding of cyber threats and their impact,” she said. “The Law Society sees this report as a positive step to help our members spot vulnerabilities and put relevant safeguards and protections in place.”
According to the report, the cyber risk may be greater for law firms that advise particularly sensitive or controversial clients or work in locations that are hostile to the UK.
The main threat to the UK legal sector stems from cyber criminals with a financial motive, the report said. But it added that nation states are likely to play an increasingly significant role in cyber attacks at a global level, to gain strategic and economic advantage.
The report noted that there has also been some growth in the hacktivist community targeting law firms to achieve political, economic or ideological ends.
The most significant cyber threats that law firms should be aware of are phishing, data breaches and ransomware, the report said, outlining basic mitigations that legal firms and those in other sectors can deploy against the three types of cyber attack.
The report also highlighted the issue of supply chain compromises. Although not unique to the legal sector, supply chain compromises increased by as much as 200% in 2017, the report said.
“A law firm’s supply chain can be compromised in various ways, for example through the exploitation of third-party data stores or software providers,” the report said, adding that the biggest issue is a third-party supplier failing to adequately secure the systems that hold sensitive data.
“Cyber security is all too often thought of as an IT issue, rather than the strategic risk management issue it actually is,” the report said, warning legal firms that if they do not protect highly sensitive client information, the whole practice may be in jeopardy.
The report advised law firms to follow the advice in the NCSC’s Small business guide, which is particularly useful for smaller firms with limited resources.
Adam Maskatiya, general manager, UK & Ireland, at security firm Kaspersky Lab, said protecting against cyber attack attempts from threat actors comes down to having a security strategy that covers every angle.
“This is especially vital in the light of new data laws,” he said. “For any business holding EU citizen data, the GDPR’s [General Data Protection Regulation] requirement for a ‘secure by design’ approach to systems and processes is making cyber security a strategic necessity – something that must be built into all business operations that touch or deal with personal data.”
Maskatiya said law firms should apply cyber security systems to minimise unauthorised access to information by thinking like an attacker to identify the points of potential vulnerability and applying a multi-layered defence strategy.
“Employee education is also key to defending against cyber attacks,” he said. “Further than just telling workers what they should and should not do when it comes to using technology, law firms must help their staff identify vulnerabilities that could occur in everyday scenarios – such as opening suspicious-looking emails that could put the company at risk, and fostering a security mindset that staff should apply to every situation and daily activity.”