The legal sector is experiencing significant growth in the risk of cyber-attack. With breaches costing law firms millions each year, and the added complications of client confidentiality, the sector can no longer ignore the importance of understanding these threats and how to address common vulnerabilities to maintain a good level of security.
Why legal?
With plenty of industries to choose from, why is the legal sector so high up on the list of desirable targets for a cybercriminal? There are a few different reasons for this.
A key motivation for a cyber-attack is financial gain, and with the UK legal market worth around £37 billion, it is no wonder that cybercriminals are interested in law firms. The legal sector holds vast amounts of sensitive client and corporate data that hackers can profit off by selling on the dark web or holding ransom for a large sum of money. Law firms handle huge amounts of money and deal with sensitive client data every day, often via a range of online activities like bank transfers and email communications, putting them at risk of any cyber-related attack.
Legal firms are also often easy targets for hackers, with many still using outdated IT systems and slow to adopt cyber security policies, despite their reliance on technology and online services. Without understanding where the risks lie and the proper defences in place, it becomes relatively straightforward for a bad actor to breach the network and steal data or inject malware.
Common attacks
The main way hackers will breach legal firms is through email. Phishing techniques are now extremely sophisticated, able to trick an unsuspecting employee into clicking malicious attachments or links. As a relatively easy attack to pull off but highly lucrative, it is a popular method for hackers.
Legal firms are also often easy targets for hackers, with many still using outdated IT systems and slow to adopt cyber security policies.
Business email compromise is one of the more serious types of phishing attack affecting legal firms. This involves the infiltration of a company’s email system where a hacker will then pose as an employee, usually in a position of seniority, and send emails to other employees, clients, or partners. The recipient sees the email is from someone seemingly legitimate, making it even more likely that they will act on what is being requested.
Often, a hacker’s success will rely on a mistake on the inside. Although there can be malicious ‘insiders’, it is usually someone who has been tricked by such methods as described above. A lack of training and cyber awareness can lead to legal employees being less vigilant around cyber risks like email or password security, making them more susceptible to these social engineering tactics.
Legal practices also make good targets for ransomware attacks as hackers know how valuable the data is, particularly when dealing with confidential cases, so they may demand a large ransom fee. However, firms are usually advised not to engage with a hacker in the case of a ransomware attack; often a hacker will still release the sensitive information because they know they can benefit financially elsewhere as well. Ransomware group Maze targeted five law firms in February 2020, demanded a $1 million ransom and still released stolen data online.
The impact
These attacks can be detrimental to law firms. Data breaches can incur financial costs, be that in the form of an unfortunately paid ransom, regulatory fines, or business downtime because of the attack. Data loss can also have an impact on market shares, as seen in a recent attack on UK Law firm Gateley. The legal sector is a lucrative one, and financial gain is the number one motivation for hackers, so it is not surprising that IBM have recently revealed the average cost of a breach for professional services to be around $4.65 million in 2021.
Often, a hacker’s success will rely on a mistake on the inside.
However, attacks are not only a financial burden, but can also severely affect a firm’s client relationships and reputation. If a legal firm experiences a data breach, this sends a message to their clients, partners, suppliers, and stakeholders that they are not a secure business and data held by them is not being protected effectively. Many may choose to terminate contracts, preferring to work with a legal practice that they can feel safer with.
Reputation is arguably a more serious consequence than anything financial for the legal sector, as one serious cyber-attack can be associated with a firm forever, costing current clients and numerous new business opportunities. It is therefore crucial that legal practices start taking the necessary steps toward improving and implementing cyber security measures to properly protect client and business data.
Taking action
Those in the legal sector yet to examine their security levels and act are risking the serious repercussions that come with cyber-attacks. With phishing attacks the most prolific, it is important for legal firms to properly educate employees on the signs of a phishing attempt and how to respond. It can also be useful to introduce policies and processes centred around ensuring monetary transfers are secure, especially if requested via email.
To avoid insider risks, legal practices must keep data highly protected and inaccessible to unauthorised personnel within the company. A general rule of thumb for employees is that they should only ever be able to access the data and systems needed to perform their job role; anything else is a security risk and should be avoided. User monitoring can also be helpful for law firms so anomalous or suspicious activity can be detected and investigated in case it is an attempted breach of data. Many cybersecurity solutions on the market offer this kind of threat detection AI in conjunction with a team of specialised cyber security analysts to verify the legitimacy of threats.
A general rule of thumb for employees is that they should only ever be able to access the data and systems needed to perform their job role; anything else is a security risk and should be avoided.
Cultivating a general culture of cybersecurity awareness in a legal firm ensures employees are vigilant and proactive to help prevent and respond to attacks. Introducing security policies and requiring all employees to read them as part of the onboarding process encourages this awareness and focuses their attention on where they can assist – for example, using strong passwords, inspecting emails, locking screens when away from a desk, and so on.
More and more legal practices are also adopting certain cybersecurity standards that are centred around key security controls and achieving the relevant certification that indicates the company has these measures in place. In the UK, some popular ones include ISO27001, which is internationally recognised, and the UK Government’s cyber security standard, Cyber Essentials, which helps a company reduce 80% of its risk by aligning with five critical technical controls: Firewalls and Internet Gateways, Secure Configuration, Patch Management, Access Control and Malware Protection. The Cyber Essentials certification is actively encouraged by the Law Society and the SRA, the latter of which recently reporting that firms certified to Cyber Essentials Plus were more likely to have good policies and processes in place to help protect against cybercrime.
[ymal]
The legal sector will remain a top target for cybercriminals due to the sensitive nature of data and money held, so law firms need to stay one step ahead. Mitigating the threat of data breach is possible with the correct implementation of cybersecurity solutions and standards, complemented by building an awareness and understanding throughout the legal workforce around the dangers of cyber-attacks and the importance of data protection. With these measures working side by side, legal services can stay secure, maintain a good reputation, and protect client confidentiality.
Clive Madders, Chief Technology Officer
Canningford House, Suite 2, 4th Floor, 38 Victoria St, Bristol BS1 6BY
Tel: +44 117 457 3331
Cyber Tec Security is one of the UK’s leading IASME-qualified cybersecurity certification bodies, with over 30 years of experience in the industry. The firm helps businesses through the certification process and beyond, with advanced solutions such as Ongoing Compliance, SOC & SIEM, Penetrating Testing and others.
Clive Madders is CTO of Cyber Tec Security. He works directly with clients on their certifications, as well as facilitating the delivery of managed cybersecurity services like SOC & SIEM. As a CHECK-level Penetration Tester, CTO and Chief Assessor with 25 years working within ICT service delivery, Clive’s role is to ensure the smooth delivery of certifications to Cyber Tec’s clients and partners and to ensure that its methodology continues to align with the standards set down by the National Cyber Security Centre (NCSC).