Top Cyber Threats to the Legal Sector
Concerns around cybersecurity are certainly not new to the legal sector. However, with the speed at which technology is evolving and the increasing sophistication of attacks and hacks, today’s law firms cannot afford to be complacent. You may remember the names of firms such as DLA Piper and Mossack Fonseca for being under international scrutiny after falling victim to malicious, highly damaging cyber-attacks. Firms must invest time and money if they are to keep up with new threats in the landscape and update defence practices accordingly.
In their annual ‘The Cyber Threat to UK Legal Sector’ report, the National Cyber Security Centre (NCSC) found four key threats posing a risk to law firms and their employees. Ahead of the release of this year’s report, today’s blog article will roundup key insights and takeaways from the report last year.
Key Insights & Findings from the Report
60% of law firms reported an information security incident in 2017, up from 42% in 2014.
£11 million of client money was reported stolen due to cybercrime in 2016-17.
Holding sensitive client information and handling significant funds makes law firms an attractive target for cyber-attacks.
The NCSC found that the primary threat to the legal sector stems from cyber criminals with a financial motive. But this also extends to the global hacktivist community targeting law firms to achieve political, economic and ideological information.
Top Threats to Law Firms
Phishing is reported as the most common form of cyber-attack affecting law firms. Phishing is a type of social engineering where attackers influence users to click/open malicious links or attachments. These attacks can be very convincing, masked as coming from a trusted colleague or supplier, and are typically conducted via email but can also strike through social media, text message or over the phone.
The amount stolen from law firms through phishing in the first quarter of 2017 was a staggering 300% higher than the previous year. This is a reminder to firms to ensure staff are well-trained and confident in spotting phishing attacks. At Eze Castle Integration, we recommend firms deploy regular managed phishing and training. Through controlled phishing email simulations, you can test employees’ responses to phishing attacks and provide ‘in-the-moment’ security education.
The NCSC found that in the two years to March 2018, eighteen law firms reported hacking attempts. Confidentiality is at the heart of the legal sector, so these firms are a prime target for data breaches, with hackers looking to get their hands on client information. Panama-based law firm, Mossack Fonseca, lost the largest amount of data ever recorded – a staggering 2.6tb. What’s more is the damage to the firm’s reputation left it no option but to close.
The report also advises law firms to be aware of the insider threat too, both accidental and malicious. With the latter coming from an employee seeking financial gain or acting with a grievance against the firm. Furthermore, the NCSC found that over half of all data breaches are caused by insiders.
IT experts at Eze Castle Integration recommend firms have the right layers of cybersecurity defences in place to avoid falling victim to a data breach. These vary based on firm type and the nature of its operations. In general, it is good practice for law firms to conduct vulnerability assessments and have security plans in place. And, to manage access controls by role type of employees. With these, your firm is prepared to avoid being attacked and respond when disaster strikes, if needed.
Another form of cyber attack the legal sector is commonly targeted with is ransomware. This is a type of malware attack that prevents users at the victim firm from accessing files or data on their computer or network altogether, until a ransom has been paid. And, as firms have often found out, paying the ransom does not guarantee that you will get access to your data/device, with hackers hoping to leave firms vulnerable to paying ransoms in the future.
In 2017, DLA Piper suffered a global ransomware attack which disrupted business operations for a number of weeks. To respond quickly and effectively, businesses are advised to have a solid defence strategy and business continuity plan (BCP) in place. Download our datasheet on BCP to learn about the benefits of this.
Supply Chain Compromise
The report indicates that supply chain compromises increased by 200% in 2017. A law firm’s supply chain can be compromised in many ways. This can be through the exploitation of third-party data stores or software providers. The worst-case scenario for law firms is a third-party supplier failing to secure the systems that hold your sensitive data. We recommend firms conduct thorough due diligence on any suppliers or partners and that clear agreements are put in place around how data is handled. It’s good practice to manage expectations from both sides right from the start of a partnership.
We recently explored vendor due diligence considerations and structuring agreements in a webinar with global law firm, Simmons & Simmons. Watch the full replay here to learn more about protecting your firm from a supply chain compromise.