NCSC Report: Cyber threats facing UK law firms

August 14, 2018

NCSC Report: Cyber threats facing UK law firms

A recent report, The Cyber Threat to UK Legal Sector, produced by the National Cyber Security Centre in direct response to a requirement from the legal sector provides valuable information relating to the current cyber threats the sector is facing. The 2018 report highlights the growing cyber threat to law firms. There’s been almost a 20% rise in security incidents over the past 3 years, with 60 % of law firms reporting an incident in 2017.

There’s no doubt that the legal sector is a very attractive target for cybercriminals. Law firms handle a wealth of sensitive personal information including client data and financial information. Moreover, law firms transact personal as well as commercial transactions daily, so the scope of sensitive information they work with is vast

With the reports overview of the most significant cybersecurity threats as well as guidance on protection and mitigation strategies, it aims to raise cybersecurity awareness, experience as well as law firms’ resilience in the face of cybercrime, as the threat to the UK’s legal sector is very real and growing quickly.

Law firms have a moral and professional duty to make all reasonable efforts to protect the information they handle, so it’s critical that cybersecurity is taken seriously, especially under the current circumstances.

 4 Cyber threats facing the legal sector

Cyber threat 1: Phishing

Phishing is targeting both law firms and their clients. It is the most common cyber attack affecting the sector. Approximately 80% of law firms in a recent poll have experienced phishing attempts. Phishing attacks do not require high resources or much technical know-how, yet the reachable rewards from a successful scam are high, thus this type of attack is a popular and lucrative option for criminals. Last year, the funds stolen from law firms increased by 300% from the previous year.

The NCSC advises a multi-layered approach to protect against phishing attacks and recommends embracing methods that achieve the following:

  • Safeguard users from attackers
  • Encourage users to identify and report suspected phishing emails
  • Protect the organisation from the effects of phishing emails that go undetected
  • Robust business processes
  • Be able to respond to phishing incidents swiftly

This highlight’s the requirement for user training and awareness, protective measures (access control and data protection) and an actionable incident response plan.

Cyber threat 2: Data breaches

Law firms, in particular, are a target due to the sensitive data they process and those firms that handle politically and commercially sensitive information may be at even higher risk of a targeted data breach. Hacking attempts on law firms are growing with a stated eighteen law firms having reported hacking attempts in the two years prior to March 2018 (according to Action Fraud). Although, mostly initiated by phishing these attacks are sophisticated and targeted. Law firms are also vulnerable to the insider threat resulting in data breaches from both accidental as well as malicious routes.

To protect against data breaches the security risks to personal data must be managed and data must be protected (If you don’t protect sensitive client information, you place your entire practice in danger). Proper access control and authentication methods are very important to manage and monitor user access. All of these will help to minimise the impact of a data breach.

Cyber threat 3: Ransomware

The inability to access one’s data and the loss of control over one’s systems, data and files is a serious concern. This is what ransomware does. An attack can result in the lockdown of systems and often the victim’s data is encrypted by the malware which inhibits accessibility. The most common vector of attack for ransomware is via email.

Ransomware incidents are common and can cause major business disruption. This malware is typically used for monetary gain (as the name depicts)- ie. access to your data in exchange for money which is often a cryptocurrency that is not easy to trace. Although there is never a guarantee that once the money is paid you will reclaim access to your data, victims continue to pay up despite authorities imploring them not to do so and against their better judgement. Organisations that do pay up also incite repeated attacks as the attackers know there’s a strong likelihood they will continue to do so. So, Ransomware incidents continue to flourish.

It’s recommended to keep software updated, manage and control the software and applications you allow into your firms and install onto your systems. Protect your systems, your devices and your data. Have a functional response plan to follow in the event of an attack. Ransomware mostly exploits existing security issues, so be mindful and take precautionary measures wherever possible.

Cyber threat 4: Compromise of the supply chain

Cyber attacks on third parties (the supply chain) are increasingly resulting in widespread cyber attacks and data breaches. Generally, organisations outsource work and use third-party supplier products and systems to fulfil their functions. If third parties fail to secure their systems appropriately and get compromised this could compromise the organisations engaging them.

The supply chain creates additional avenues to exploit. Although not exclusive to law firms, this avenue for attack can compromise law firms as their position in the supply chain makes them an attractive target. They mostly handle highly sensitive data and handle exchanges of substantial sums of money. Even the smaller firms. Additionally, law firms have links to thousands of clients, often worldwide.

By finding a weak link in the supply chain to infiltrate, a cybercriminal can use a third party as a stepping stone to get to their target. It’s important that law firms understand the risk that an insecure supply chain brings and put protective and preventive controls in place to reduce any potential risks. It’s very important that the third-party suppliers and products you use have an equal or better level of security than your own and that security is continuously vetted and maintained at healthy levels throughout your engagement.

All law firms are susceptible to these threats

The report reinforces that all law firms are susceptible to cyber threats, no matter their size.

Ciaran Martin, Chief Executive Officer, NCSC:

“Like all businesses, law firms are increasingly reliant on IT and technology and are falling victim to a range of malicious cyber activity. Losing access to this technology, having funds stolen or suffering a data breach through a cyber attack can be devastating, both financially and reputationally, not only for the firm but also their clients. The NCSC is not just here to look after the IT systems of UK government. We are committed to supporting the legal sector and we encourage you all to implement the guidance outlined in this report.”

It’s hoped that the report will be seen as a worthwhile tool for all law firms- sole practitioners, large and mid-size firms, in-house legal departments and global corporate firms. So, industry-wide security awareness can be achieved and security best practice encouraged throughout the sector to combat the major cyber threats it is facing.

Legal services continue to embrace new technologies and functioning; however, the legal profession often lacks the necessary skills to ensure good cybersecurity practices are implemented which are necessary to counter the security risks that come with these changes.

Law firms must address the gaps in their security with the appropriate data protection and security solutions as well as the necessary employee awareness training, as attacks are on the rise and are more sophisticated and well-resourced than ever before.

National Cyber Security Centre:

https://www.ncsc.gov.uk/