A new threat report published by the National Cyber Security Centre reveals why the legal sector is particularly vulnerable to cyber attacks, the methods used by online criminals, and how organisations working in the sector can best defend themselves.
In her foreword to the report, Lindy Cameron (the NCSC’s CEO) said:
“Recent examples of cyber attacks affecting the legal sector have lead to a growing understanding of the problem at the highest levels of corporate governance. The NCSC welcomes the increased support and investment in cyber security we’re seeing across the sector.
The legal sector is important to the NCSC as lawyers, legal practices and law firms play an essential role in the UK’s economy and society. We rely on them for the delivery of justice, the resolution of disputes, and the conduct of business. This report will help ensure that the sector is as resilient as possible to cyber attack.
A report by the Solicitors Regulation Authority showed that 75% of Law firms have been the target of a cyber attack
The SRA showed 75% of Law firms have been the target of a cyber attack, with 23 of the 30 cases in which firms were directly targeted seeing more than £4m of client money stolen. The financial impact of a data loss is more difficult to calculate, but these often result in further indirect financial costs. For example, one firm lost around £150,000 worth of billable hours following an attack that disrupted its system.
Firms also report that attacks are not isolated incidents. Two large firms report being targeted hundreds of times yearly, although most of these attacks were unsuccessful.
The financial impact of a loss of data is more difficult to calculate, but we found these often resulted in indirect financial costs. For example, one firm lost around £150,000 worth of billable hours following an attack which crippled their system.
Twenty-three firms had informed law enforcement following their last cybercrime incident. These included incidents where:
a client transferred £70K to a fraudster
a further £70K transfer was made to a fraudster in an unrelated incident by another client
a solicitor transferred £340K to a fraudster.
Why is the legal sector a target for criminals?
As cyber criminals are not fussy about who they attack, it means small and large firms are at risk. Organisations in the legal sector routinely handle large amounts of money and highly sensitive information, which makes them attractive targets.
They are also targeted for these reasons:
Law firms routinely handle highly sensitive client information (for instance relating to ongoing criminal cases, or mergers and acquisitions) that may be valuable to criminal organisations with an interest in exploiting opportunities for insider trading, gaining the upper hand in negotiations and litigation, or subverting the course of justice.
Disruption to routine business operations can be costly to legal practices, both in terms of billable hours lost due to outages and costs to clients that depend upon them, making legal practices particularly of interest to ransomware gangs aiming to extort money in return for restoration of IT services.
In many areas, from mergers and acquisitions to conveyancing, legal practices handle significant funds. The time pressures associated with transactions (as well as the large numbers of suppliers and clients and complex payrolls that law firms handle) create attractive conditions for phishing attacks and business email compromise.
Many legal practices, especially smaller firms, chambers and individual practitioners, rely on an external IT services provider, making it challenging for them to assess for themselves whether the controls they have in place are appropriate to the risk they face. A small law firm with few resources could be devastated if caught up by (for example) a ransomware attack. They are more vulnerable to attack, perhaps via unpatched vulnerabilities on unmanaged devices, or due to untrained staff or poorly offboarded leavers. Once attacked, a relatively small financial or reputational loss may be disastrous.
Reputation is critical to the business of law, which makes legal practices attractive targets for extortion.
Simplify Group - Case Study
In November 2021, the UK’s largest conveyancing firm Simplify Group was the victim of a major cyber security attack that led to core business systems being taken offline. This resulted in a delay to completions, significantly reduced the number of new transactions and it was reported8 to have cost the firm £6.8 million. With a risk that personal data may have been accessed without authorisation, Simplify Group reported the incident to the Information Commissioner’s Office (ICO), who said the group “fully complied with all relevant obligations required to ensure that data or information loss resulting from the attack was appropriately handled”. The incident demonstrated vividly to the sector the profound impact of business interruption on customers, and how a cyber incident should be reported to the relevant authorities.
How can the SECRC help businesses within the legal and financial sector?
To help businesses in the legal and financial sectors to outsmart cyber criminals and toughen up their cyber security, The South East Cyber Resilience Centre(SECRC), has been established to provide businesses from all sectors and of all sizes with an affordable way to access cyber security services designed to help improve cyber resilience.
We offer a free core membership to businesses in the South East, becoming a member will enable you to receive a welcome pack full of practical resources and tools, designed to help you identify your risks and vulnerabilities and the steps you can take to increase your levels of protection. Through your membership, you will also get regular updates on new threats, designed to help you stay safer.
The SECRC works with a network of official Cyber Essentials providers, these are our Trusted Partners. Our Trusted Partners help local businesses achieve the Cyber Essentials and Cyber Essentials Plus Certification.
It is understood that a busy solicitor’s office has little time for combing through complicated jargon, Cyber Essentials provides that first step in demonstrating cyber security.
A Cyber Essentials certification covers the basic technical controls that will help prevent the most common, commodity attacks. Cyber Essentials is a great place to start for the legal sector, the certification is broken in 5 control areas:
Access Control which looks at how businesses can ensure that employees have the correct access levels for their roles and how access permissions should be monitored and checked regularly.
Secure Configuration looks at how businesses implement security measures when setting up or installing new computers and network devices, in order to reduce unnecessary cyber vulnerabilities.
Software Updates are essential for effective cyber security. This control area looks at how cyber criminals can exploit vulnerabilities that are exposed by out-of-date software. When a new update is released, attackers will quickly identify the underlying vulnerability in the application and release malware to exploit it.
Malware Protection looks at how businesses can help spot the signs of malicious activity and keep themselves out of the paths of cyber criminals.
Firewall and Routers looks at how a firewall provides a defence barrier between your network and the internet and how this is key in protecting your devices.