Cyber Effects On The Legal Profession
Directors Report: For unrestricted website access please Subscribe: £5 monthly / £50 annual.
Cyber crime is a global threat to organisations and the risk it poses cannot be ignored by law firms given society’s dependence upon technology and it is clear that the cyber threat to the legal sector is growing significantly.
Few areas of our lives remain untouched by the digital revolution. Across the world, there are now nearly two billion internet users and over five billion mobile phone connections; every day, we send 294 billion emails and five billion SMS messages. And so now law firms are operating in an increasingly hostile digital landscape and they are unfortunately enticing prospects to cyber criminals, due to the high value transactions involved.
A robust disaster recovery and business continuity plan are therefore imperative to safeguard against a cyber-attack.
The past 12 months has seen the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (Data Protection Legislation) usurp cyber crime at the top of Risk Managers’ action lists. Although cyber crime is not a new crime, it is a relatively new issue for the legal profession. In the UK The Solicitors Regulation Authority (SR) first recognised cyber crime as a threat to law firms in its 2014 Risk Outlook publications.
In July 2018 cyber crime was categorised as a priority risk on its own, rather than it featuring as part of information security risk. In addition, the National Cyber Security Centre (NCSC) recognised the threat of cyber crime to law firms and published a specific report in July 2018.
With cyber crime risks continually evolving as criminals devise new ways of beating security software and tricking people into handing over their personal or business details, it makes sense to be aware of what the newest cyber risks are – and the steps you need to take to ensure your firm stays secure and compliant.
Cyber security and operational resilience is a serious business risk and a board level responsibility. It requires an influential and visible leader to set the tone and put in place the right protections.
Cyber criminals have taken the opportunities presented by the exponential growth in the use of technology, including within the legal profession; an industry that routinely processes confidential/sensitive client data and has access to vast sums of client monies. There should be a formalised approach to cyber risk management with proper record keeping and proper comprehension of the issues by all the board directors and law partners. And it requires ongoing expenditure, most of the firms breached had failed to allocate a specific annual cyber security budget.
The global coronavirus pandemic, and the rise in people working from home, has unfortunately provoked a growth in cyber-crime. The UK Government currently estimates that the cost of cyber-crime is £27billion a year. The legal sector handles sensitive data and large financial transactions, which makes it an attractive target for cyber criminals, who are constantly looking for new ways to exploit any situation they can.
There are several factors that make law firms an attractive target for cyber attack, they hold sensitive client information, handle significant funds and are a key enabler in commercial and business transactions. The risk may be greater for law firms that advise particularly sensitive clients. For example, firms acting for organisations that engage in work of a controversial nature such as Life Sciences or the energy sector may also be targeted by groups with a political or ideological agenda. The move to offer legal services digitally will not only provide new opportunities but also further avenues for malicious cyber exploitation.
In September 2020, the Solicitors Regulation Authority (SRA) published reviews of firms who had suffered cyber-security breaches and found that the results ‘were often catastrophic’. In addition to the money stolen, law firms incurred additional costs in higher insurance premiums, lost time and damaged client relationships.
Cyber criminals actively exploit the current vulnerabilities that are present in law firms by monitoring human and network security. The risks of cyber attack and data theft has never been more prevalent and the potential consequences have never been more serious. In an industry where trust is everything, the cyber threat to law firms needs to be considered in the context of the reputational damage a data breach could cause.
The Risk To Reputation Is Critical
Major law firms deal with vast amounts of sensitive data and are entrusted by their client’s to keep this confidential and secure. This relationship is a foundation on which the legal profession is built upon. A potential breach of this data incurred from a cyber attack could seriously cripple a firm’s hard built reputation within the legal industry. Something that may not be easy to recover from.
The risk Reputational damage to a firm when a cyber attack happens is huge. Following the introduction of GDPR regulations in Britain, such matters cannot be dealt with privately, as all organisations have regulatory responsibility to report such matters to the UK Information Commissioners Office within 72 hours of the attack. The confidence of clients, insurers and lenders have in a firm is at stake and can result in permanently damage in this scenario.
Understanding who is attacking law firms and why is the first step towards mitigating the risks threat actors present.
Regardless of whether or not a firm is specialising in a magnitude of services on an international scale, or a boutique firm huddled away in a quiet town, it is just as important that they have cyber security measures installed and their employees educated. Although many are now more than conscious of the importance of cyber security, there are still those that lack a decent understanding of what precautionary measures to take to mitigate risks.
Ransomware is one of the most popular cyber-attack methods that cyber criminals use to target law firms. In a typical ransomware attack a target organisation’s network is penetrated by hackers, often by sending a phishing email to individuals in the organisation that contains malware, or sometimes through exploiting a vulnerability in the organisation’s network.
The malware enters the network and the attackers conduct reconnaissance and further activity to achieve the right access they need to execute the ransomware. Once this is done, the target organisation’s network is encrypted and effectively unusable until either a ransom is paid or the organisation reverts to backups to bring the network back online.
Phishing attacks remain the primary concern amongst firms and mirror the number of breaches detected. However, data breaches through theft of data and hacking of office or client accounts are the next two top worries on the list - though our survey revealed a low number of actual reports of breaches in these areas. This data can be used making it highly attractive to criminals, and meaning a breach can have potentially disastrous consequences for the client.
Discussions with law firms of all sizes has provided an indication of the current patterns of cyber security activity in the sector and it shows that over 50% have reported an attack.
The Top Types of Attacks Affecting Law Firms Are:
Phishing emails: This an attempt to obtain sensitive information or gain access to client funds by masquerading as a trustworthy source via email. These are some of the most common cyber security incidents faced, with 84% of firms falling prey to such an attack. A hacker attempts to obtain financial or other confidential information by sending fraudulent emails to people in your firm.
Spear-phishing campaigns: Spear-phishing is an email fraud attempt that targets a specific organisation and appears to be from an individual or business that you know. There is also an internal threat, with 41% of law firms suffering a security incident that was caused by staff. Symantec reported that spear-phishing campaigns targeted against employees, increased 55% in 2015.
Ransomware: Ransomware increased 35 percent in 2015 as cyber criminals capitalised on the profitability of such an attack. This type of attack targets Mac’s, PC’s and also smart phones, encrypting the devices until a ransom has been paid. Ransomware is typically spread via unsolicited emails and employee’s clicking on genuine looking links.
Spoofing : A hacker attempts to obtain financial or other confidential information from third parties by impersonating your firm by, for example sending emails or hosting a fake website.
Viruses, spyware or malware attacks: Types of malicious software designed to perform damaging operations on a computer.
When a cyber security breach takes place, one of the immediate questions asked is the cost implications to the business.
Ransomware attackers have ratcheted up during the pandemic, particularly against organisations like law firms are increasingly an attractive target because of the nature of their business. In the course of corporate legal and M&A work, litigation and other legal services they perform, law firms and in-house legal teams collect tons of confidential corporate information and sensitive data like tax returns. They can suffer reputational and financial losses if they are breached, especially if data is exposed. Average ransomware payouts exceed $1 million, according to CrowdStrike.
Unfortunately, law firms tend to be more vulnerable than other types of businesses. A report by security firm BlueVoyant found that 15% of a global sample of thousands of law firms showed signs of compromised networks, and all firms were subject to targeted threat activity. BlueVoyant analysed thousands of law firms worldwide between January and March 2020. These results were compared with companies in the 16 sectors defined as critical to securing national infrastructure, resources, and resiliency by the Department of Homeland Security.
BlueVoyant contends that the legal sector should be designated as "sector 17" due to the high-value data law firms contain and their role as arbiters and safekeepers of public trust.
This study revealed that almost 100% of law firms surveyed have been subject to targeted threat activity, not surprising given the sector's estimated worth of nearly $1 trillion, making it a prime target for financially-motivated attacks, as well as their handling of sensitive information.
Jim Rosenthal, CEO, BlueVoyant, commented: "The stakes could not be higher. While the legal sector is performing well in comparison to the other 16 sectors, attacks against law firms constitute some of the most sensational and damaging cyber attacks in history. “We have already seen how recent incidents can cause substantial geopolitical fallout, not to mention tremendous direct and indirect financial repercussions for law firms."
Furthermore, detailed analysis into 20 law firms, including an examination of defense metrics, inbound threat targeting and evidence of compromise, revealed that 15% of these firms were likely to have been compromised based upon strong evidence of suspicious traffic, and many more showed signs of suspicious activity, including malicious proxy use. Rosenthal added: "Threat actors are aggressively targeting law firms, and they are doing so daily. Threats against law firms are high volume, multi-faceted, and organized; threat actors use multiple sophisticated tools and techniques; and, notwithstanding industry-leading efforts, law firms have been successfully compromised."
Law firms can use multiple detection engines to enhance cyber security. Fraud detection can automatically pinpoint phishing, flagging concerning emails and ensuring that legal professionals can make quick and informed decisions that avoid data breaches. Rationalising modern IT applications and re-engineering business systems can fundamentally improve cyber-security. By reducing reliance on cloud-based systems, in favour of simplistic and efficient digital solutions, law firms can cut out the cost and secure operations.
The digital landscape is changing rapidly and keeping pace with the evolution of emerging cyber threats is challenging for law firms. Achieving sustainable progress in safeguarding the legal sector is not easy and countless organisations have incurred substantial financial and reputational damage in recent years. As the legal industry continues to digitise, law firms must take cybersecurity issues more seriously.
It is long overdue that the legal sector recognises the risks associated with cyber crime. Given the profession’s accelerated transition to the digital era, more comprehensive steps must be taken to ensure that potential threats are addressed. A proactive attitude towards cyber security can help lawyers avoid devastating repercussions. It is crucial that we enhance our understanding of the different types of attacks.
By implementing effective policies and procedures to deal with cyber crime and creating a culture of cyber security awareness, law firms will be establishing strong foundations to minimise their exposure to cybercrime and the threats that stem from cyber security failures.
For more information please contact: Cyber Security Intelligence and in the UK we recommend Clayden Law as they are experts in information technology, data privacy and cyber security law.
References:
The Law Society: Lawyer Monthly: Cyfor: Broadcom: Forbes: Crowdstrike:
PRNewswire: Legal Futures: Six Degrees: Todays Conveyancer: GOV.uk:
