Superior cyber security is a paramount need for almost everybody today, with our data online, crucial data is at the hands of hackers if you have no cyber security.
The same is true for business, especially within the legal sector, with many legal firms holding private data, there is no question that due to the sensitivity of their data, they should have the best defences in place to protect them.
This sentiment is true for all levels of business within the law, and businesses in general. However, an updated report from the NCSC (National Cyber Security Centre) has revealed that 32% of the businesses they surveyed had identified a cyber attack.
What is a cyber attack?
A cyber attack, in its most basic element, is an attempt to obtain sensitive data through your device or computer. This sensitive data can include but is not limited to:
- Your identity
- Financial details
- Your address
- Your passwords
- Files on your device
- Your accounts on various platforms such as email and social media
- If you’re a business, on top of the aforementioned data, the data of your clients is also at risk
A cyber attack can also be recognised as your device being taken control of by someone who is not physically with you, in situations like these, the hacker freely navigates your devices whilst you watch, or may tell you to send money to an online address in exchange for you to access your device again.
Why do people commit cyber attacks?
Like any other criminal element, cyber-attacks are committed by people in order to obtain data that they can either sell or use to commit fraud.
How do people commit cyber attacks?
There are many methods, some people opt to use programs that can obtain your data once you click a specific link, this is known as a phishing scam.
According to the NCSC, a phishing scam is:
“When criminals use scam emails, text messages or phone calls to trick their victims. The aim is often to make you visit a website, which may download a virus onto your computer, or steal bank details or other personal information.”
Shockingly, there was a total of 21 million reported scams, further highlighting the need for refined online security.
Understanding the NCSC report
The report, known as ‘Cyber Threat to the Legal Sector report’ is an update from it’s previous publishing back in 2018. With the latest report being published in 2023. It’s safe to say in the past 5 years, developments in technology has only accelerated.
The report sets out to display possible threats that legal firms can encounter in regard to cyber security. Examples being ransomware attacks, phishing scams, and intellectual property theft by state actors.
The report is for those in the legal sector of any size, whether you are a natitionaly recognised lat practice or local.
It highlights how the necessity for hybrid working (working from home) had developed at an incredible rate due to the COVID-19 pandemic, and how that development had also developed the risk of a cyber attack.
Case studies within the report
Also featured within the report are case studies that highlight the destructive nature of a cyber attack, and how it can severly impact those within a law practice. An example being Simplify Group, a conveyancing firm who fell victim to a cyber attack which ended up costing the company over £6 million.
A further example of the damage a cyber attack can cause is from the firm ‘Tuckers Solicitors LLP’ The had a data breach which resulted in 60 court cases being stolen and subsequently leaked onto the dark web. As a result of a ransomware attack.
The fact these 60 court cases were now compromised and not confidential anymore meant that all of these cases would likely to have had a re-trial. Costing more time, and resources, and in some cases, people’s freedom.
Why is the legal sector a target for cyber attacks?
Below is a detailed understanding of why the legal sector is a target for cyber attacks (obtained from the NCSC report mentioned earlier)
Law firms routinely handle highly sensitive client information (for instance relating to ongoing criminal cases, or mergers and acquisitions) that may be valuable to criminal organisations with an interest in exploiting opportunities for insider trading, gaining the upper hand in negotiations and litigation, or subverting the course of justice.
Disruption to routine business operations can be costly to legal practices, both in terms of billable hours lost due to outages and costs to clients that depend upon them, making legal practices, particularly of interest to ransomware gangs aiming to extort money in return for restoration of IT services.
What is the goal when cyber attacking the legal sector?
In many areas, from mergers and acquisitions to conveyancing, legal practices handle significant funds. The time pressures associated with transactions (as well as the large numbers of suppliers and clients and complex payrolls that law firms handle) create attractive conditions for phishing attacks and business email compromise.
Many legal practices, especially smaller firms, chambers and individual practitioners, rely on an external IT services provider, making it challenging for them to assess for themselves whether the controls they have in place are appropriate to the risk they face.
A small law firm with few resources could be devastated if caught up by (for example) a ransomware attack. They are more vulnerable to attack, perhaps via unpatched vulnerabilities on unmanaged devices, or due to untrained staff or poorly offboarded leavers. Once attacked, a relatively small financial or reputational loss may be disastrous.
Reputation is critical to the business of law, which makes legal practices attractive targets for extortion.
Did the lockdown affect cyber security for legal firms?
Interestingly, yes. The lockdown saw almost all of our non key-workers go from an office environment, to working from home. The legal sector was not exempt from this.
With many legal firms opting for their workers to work from home, their workers faced two options.
- Use a computer or laptop provided by their employers
- Use a personal computer or laptop for the work
The was where cyber security became at risk, for two reasons,
- Using a device provided by the employer for non-work related things
- Handling sensitive information of a client on a personal computer/laptop
The NCSC report went on to highlight that cyber criminals were quick to exploit concerns about the pandemic by creating COVID-19 related phishing emails trying to trick users into clicking malicious links.
Additionally, remote users were now connecting into their corporate networks from their home routers, which increased the risk exposure to the organisation’s network.
NCSC recommended solutions
Thankfully, the NCSC holds a diverse range of guidance for you, along with tools that we can access in order to improve the effectiveness of our cyber security, this is applicable to individuals and organisations.
Examples of this include the ACD (Active Cyber Defence) programme. Along with the Cyber Essentials programme. If you need further support, you can apply for it if you are a small legal aid organisation, this is known as the Funded Cyber Essentials programme.
The NCSC also provides a free service that lets you check your cyber security, which is essential in understanding what reinforcements you need to urgently make.
Additional options include hiring a cyber security consultant, or service that you can upgrade your online security with.
We have only managed to briefly highlight some of the findings of the NCSC report, we urge you to read the full copy, especially if you are within the legal sector. This is the latest, up to date information, provided by a government association, its information could be the difference in the security of your business or legal firm.