Cyber Security in the Legal Sector

By Shirley O’Sullivan


Cyber security is right at the top of the list of priorities for law firm compliance teams these days. Legal sector security research advise the statistics on cyber-crime are alarming. One in four law firms have suffered a cyber-attack and, of these, one in ten have had money stolen from them. The Solicitors Regulation Authority (SRA) estimates that £11 million was stolen from law firms in cyber-attacks between 2016-2017. Cybercrime is not a static situation. The criminals who seek to steal funds and information are continually introducing new methods of getting around security software. Increasingly sophisticated scams are being used to trick people into handing over crucial information that can facilitate a theft. By remaining aware of the latest risks to computer security, the legal services sector can go a long way to securing a firm’s property and remaining compliant.

Beware of Ransomware

Ransomware is a special type of malware that is used in blackmail. Victims are threatened with having their systems and data permanently locked down if they don’t hand over a sum of money. Typically, this is via a message on the monitor. Ransom demands are around £900 – £3000 in bitcoins. It is not surprising that many firms pay up because the financial and reputational ramifications of losing all their data and records are far higher than that. Sadly, paying up does not guarantee that records will be fully restored.

The financial costs of this type of breach, even if access to the records is restored, are very high. Firms suffer from longer-term damage to their reputations as well as a break down in trust with their clients.  The only defence is to put a Disaster Recovery Plan in place so that lost records can be quickly restored from backups in minutes.

Distributed Denial of Service (DDoS) Attacks

In this form of attack, malware is used to hijack servers and to trigger an overloading event that results in downtime. It can also be instigated by activist groups who have a political point to make. As a result, the computer systems in the organisation crash, daily routines are disrupted, and the business suffers.

The key to fending off a DDoS is being able to recognise an attack so that the response can be swift. There is plenty of technology that can identify attacks and a specialist team is needed who both monitor the servers for traffic spikes and react when they find one.

Friday Afternoon Peaks in Fraud

A staggering three quarters of cybercrimes take place on a Friday afternoon. The underlying reason is that this is when most conveyancing deals are completed, and large sums of money are changing hands. In the past, fraudsters have posed as lenders or clients and have redirected funds into their accounts via telephone calls. Modern criminals have the option of hacking into computer systems to steal money directly. The only way to safeguard against this is to install up-to-date malware and anti-virus software.

National Cyber Security Centre Advice

The National Cyber Security Centre (NCSC) has issued a legal threat report to law firms that gives advice as to how to protect themselves. This organisation is the central body for national cyber security in the UK and issues technical information and support.

During 2017, 60% of law firms had some form of security incident and this is up by 20% on the year before. The emphasises is on guidance that is both actionable and clear and focuses on malware and phishing. The NCSC has acted because law firms are now more reliant on information technology than ever before and this makes them vulnerable to cyber-attack. Law firms have a lot to lose in terms of reputation and finance. They hold a great deal of sensitive data and large sums of money, much of which belongs to valued clients.

The NCSC report takes general security advice and tailors it for the legal sector which makes it more useful and actionable. The Law Society has welcomed the report and sees it as a positive move in the right direction. It will help law firms fulfil their duties as data controllers in relation to data protection for their clients.

One initiative is on the Cyber Information Sharing Platform (CiSP) which now has a ‘Legal Sector’ launched by members of the legal profession together with the NCSC. Its aim is to exchange information relating to cyber threats in real time so that awareness is increased and the impact on law firms can be reduced.


Does Your Organisation Need Top Cyber Security Consultants?

We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.