Cyber attacks on UK law firms increased by 36% in the past year. Almost ¾ of the top 100 UK law firms have been impacted according to the National Cyber Security Centres Cyber Threat Report. Law firms hold a lot of sensitive and confidential client data. This makes law firms attractive targets and the files they access can be weaponised. Smaller firms are not immune and they are likely to have inadequate cyber defences. Hackers use software to identify vulnerabilities in an organisations security to then exploit it and the do not discriminate on size.
The repercussions of cyber attacks can be catastrophic to a legal firm -theft of sensitive information, disruption to cases, financial losses, and reputational damage.
This article examines at why cyber criminals target the legal sector. It also examines the various cyber threats facing law firms, supported by real-life examples. We will then discuss how law firms can enhance cyber security.
Why Law Firms are Prime Targets for Cyber Attacks
The cyber security risk facing law firms is high. In fact, some reports indicate that the legal sector is the 4th most targeted sector by cyber criminals. So why is this?
The Value of Data Stored by Law Firms Makes Them Vulnerable
The main attraction to cyber gangs is that law firms hold sensitive and high-value information. E.g. records filled with clients details, case files, intellectual property specifications, and privileged communications. One attack can give criminals access to a broad scope of detailed data from all the connected clients and parties that a firm deals with.
Cyber criminals exploit such information for nefarious purposes such as:
· Identity theft,
· Blackmail,
· Monetary gain,
· Corporate espionage. e.g. Hackers may sell stolen IP details to a rival organisation or use personal client data in social engineering attacks.
Lack of Specialist Cyber Security Expertise
Law firms and solicitors' primary focus is on their legal duties. Allocating sufficient budget and resources to specialist cyber security knowledge in-house is rare. As a result, firms may be ill-equipped to identify potential threats or respond effectively to attacks. As the complexity of cyber attacks increase, this becomes even more of a risk factor.
Implications of Failing to Maintain Client Confidentiality
Data breaches at law firms can have serious legal, financial, and ethical repercussions. At the centre of this is Legal Professional Privilege (LLP) - the cornerstone of legal practice. A breach of this confidentiality can lead to serious consequences. It could undermine a client’s trust in their legal advisor, and it could even compromise ongoing litigation processes. At a broad level, data breaches can erode public confidence in the legal profession altogether.
Data breaches may also subject law firms to disciplinary action from the ICO. The ICO issue fines of up to EURO20 million for GDPR breaches when data has been breached due to being insufficiently secured.
The Solicitors Regulation Authority highlights that Rule 4.2 of the Code of Conduct for individuals and Rule 5.1 of the Code of Conduct for firms obligates legal firms to 'safeguard money and assets entrusted to you by clients and others'.
Cyber Threats Facing Law Firms
1. Ransomware Attacks: Holding Law Firms' Data Hostage
Ransomware attacks are becoming increasingly common in the legal sector. Cyber criminals encrypt a law firm’s files or entire network and demand a ransom for the decryption key. Legal documents were stolen from a UK law firm called Ward Hadaway and a ransom of £4.75million was demanded. The ICO and the NCSC warned that ransoms should not be paid as it encourages future ransomware attacks. And the ICO warned that penalties due to breach of GDPR will not be reduced in such instances.
Examples of Ransomware Attacks on the Legal Sector
Cyber criminals targeted CTS with ransomware, crippling services and causing significant downtime for its law firm clients. The Law Society reports that some law firms are still unable to access their case management systems. This incident highlights the importance of vetting third-party vendors for robust cybersecurity measures.
In 2017, DLA Piper, one of the world's largest law firms, experienced a ransomware attack that caused major disruptions to its operations across 40 countries.
The infamous Maze ransomware group targeted multiple law firms, encrypting their data and demanding large sums of money as ransom. Fragomen, Del Rey, Bernsen & Loewy LLP were some of the impacted firms.
2. BEC Scams: Exploiting Trust and Client Relationships
Business Email Compromise (BEC) is a significant threat to the legal sector. Cyber criminals pose as trusted individuals or businesses to deceive employees via email into transferring funds or revealing confidential information.
Examples of BEC Scams in the Legal Sector
London-based law firm, Allen & Overy with a BEC scam in 2023. Lockbit took credit for this.
A Chicago law firm transferred $2.3 million to a fake bank account after receiving emails that appeared to be from a genuine client.
3. SEO Poisoning Targets the Legal Sector
SEO poisoning risks infecting a firm's network with malware or ransomware. The legal sector is particularly targeted.
The GootLoader Case
GootLoader is a browser-based cyber threat, delivered through search engine optimisation (SEO) poisoning. GootLoader is a popular malware-as-a-service (MaaS) which means cyber criminals can buy it off-the-shelf. It has been commonly used to target legal professionals searching for specific legal document templates. A high percentage of the 3.5 million search terms that GootLoader has seeded malicious content and malvertising to, are legal terms.
So, when a lawyer or paralegal searches for specific content, the top search result may lead to a file infected by GootLoader. This technique of manipulating search engine results leads legal professionals to unknowingly download documents infected with malware. BlackCat ransomware is one example.
4. More Examples of Law Firms Facing Data Breaches
Ironically, an international law firm that acts on behalf of data breach victims suffered its own attack last year. Orrick, Herrington, & Sutcliffe experienced theft of sensitive data for 637,000 victims. The firm faced class-action lawsuits for failing to inform victims of the breach until months later. In the UK, the ICO fines organisations that do not adequately protect data.
It was extremely damaging to the reputation of an A-list celebrity law firm when they were hit by a cyber attack back in 2020. 756GB of data was stolen including contracts and emails and their website was taken down. Grubman Shire Meiselas & Sacks looked after over 200 high profile clients including Madonna and Elton John.
Improving Cyber Security in the Legal Sector
1. Security Awareness Training of Legal Staff
Your team can be your weakest cyber defence. Turn that around by making them your strongest with security awareness training. Such training plays a key role in defending against cyber threats. Effective training measures include:
Cybersecurity Education: Regular training keep staff informed about the latest cyber threats and safe practices.
Baseline Testing & Follow Up: Simulated phishing exercises measure areas of weakness. Test the vigilance of your team with fully automated (fake) phishing attacks. Measure and improvments over time.
Incident Reporting Protocols: Clear instructions on how to react to and report suspicious activities enables swift action.
2. Install Multi-Layered Defences
A multi-layered approach provides the strongest cyber defence. Combining preventive and detective measures to protect a law firms digital environment includes:
Firewalls: Advanced firewalls will examine incoming and outgoing network traffic and block unauthorised access.
Endpoint Security: Sophisticated endpoint protection solutions will identify, analyse, and address threats on individual devices.
Multi-factor Authentication: Commonly used and weak passwords make your firm vulnerable. Multi-factor authentication helps to protect against phishing attacks, data breaches, brute force attacks, and it also strengthens remote access security.
Email protection identifies and removes spam and other harmful emails by filtering them through a blacklist. The blacklist is continually updated to provide maximum protection. Risky emails go into a quarantine area where they can can be opened safely.
DNS Filter protects against malicious website domains thanks to an advanced AI system.
3. Information Security Questionnaire
The Law Society have an Information Security Questionnaire. This can be used to understand how the chambers you instruct process information, to ensure that the IT systems they use are security compliant.
4. Obtain Cyber Security Insurance
Our Gold IT Package includes up to £250,000 of cyber security insurance. This package is ideal for small legal practices as it includes all the critical layers of cyber security. Large law firms may require a higher degree of cyber insurance and this advice by The Law Society may prove helpful.
How Mcats IT can Help Legal Firms
We recommend that all UK law firms take the following actions, which Mcats IT can help with:
Allocate budget specifically for cyber security measures.
Continuously educate employees about cyber security. Mcats IT include FREE security awareness training for your team, in all our IT packages for SMEs. (Or you can purchase it individually).
Adopt a multi-pronged approach to cyber security that includes network security, endpoint security, multi-factor authentication, and email protection against malware.
Backup all data and files regularly, and store them in a secure location. Our Silver and Gold packages include backup for Microsoft 365. And we can also help with more complex backup requirements. We provide secure cloud storage for £5.99 per TB per month.
Obtain adequate cyber security insurance. Up to £250k is included in our Gold IT package.
Get Cyber Essentials Certification, which is backed by the UK governement. This will demonstrate to your clients that you can be trusted as you have a good standard of cyber security in place.
Regularly update software and systems to address vulnerabilities.
Regularly assess and update security protocols. This can be done internally if you have a specialist team or with the help of external experts. Mcats IT can help with Cyber Gap Analysis.
Large law firms may be interested in accessing our security operations centre and mXDR (extended detection and response for Microsoft) – with an SLA of just 15 minutes for the highest risks. And, if your organisation has bespoke or particularly complex cyber security requirements, our team of experts can help. We provide cyber security professionals by the day who can solve problems and help you implement the solutions. Contact us for a free consultation.
Комментарии