We've previously blogged about the fraud threat landscape facing legal firms, which outlined a range of risks that practitioners should be thinking about and guarding against.
We started by talking about cybercrime, as it is such a huge challenge for firms and something that keeps many partners up at night. This was once a peripheral issue, an outlier, but not any more. Cybersecurity is something that everybody in the legal profession should be taking incredibly seriously. Here’s why:
Sizing up the problem
A study of 200 of the country’s biggest law firms found that – due to substandard IT security – more than 90% are exposed to being scammed or having clients’ confidential data stolen or compromised. The estimated cost of a single data breach in the UK is £2.37 million, and in 2018 alone, over £11m was stolen by hackers from UK law firms.
Attackers don't discriminate between large and small legal firms, although smaller firms are often seen as soft targets, since they are less well equipped than national and global organisations when it comes to cybersecurity. Even after an attack has taken place, many don’t realise they’ve been compromised. Significant financial and reputational damage can be done in the time it takes to uncover a breach in the firm’s defences.
The nature of the beast
No two cyber-attacks are the same, and they can take very different forms.
- Phishing – criminals masquerade as a trustworthy source via email, seeking to obtain sensitive information or gain access to client funds. Spear-phishing involves a more highly targeted approach that seeks to exploit staff in critical functions. Phishing is an epidemic in the legal industry. Indeed, 100% of the UK’s top ten law firms suffered at least one phishing attack last year, according to the PWC ‘Law Firms’ Survey 2019’.
- Ransomware – attackers targets hardware (both computers and phones) and refuse to relent until a ransom has been paid. This form of attack is typically perpetrated via unsolicited emails, whereby unsuspecting employees click on links that appear genuine. In 2017 DLA Piper suffered a ransomware attack that caused disruption for a number of weeks. It remains the biggest cyber attack to ever affect a law firm.
- Data breaches – cyber criminals seek to target vulnerabilities in legal firms’ websites to infect users with nefarious software. In 2016, law firm Mossack Fonseca suffered a data breach that came to be known as the “Panama Papers” hack. It lost the largest amount of data ever recorded (2.6 terabytes) and the firm was forced to close.
From these examples it’s apparent that cyber criminals don't just steal client funds; they steal data, too. This can be even more valuable and lucrative than hard cash, with other criminals paying large sums to obtain confidential information about individuals and organisations that rely on solicitors for legal advice.
Meeting the challenge head on
The challenge posed by cyber-criminals is formidable, but not insurmountable. Firms should first and foremost conduct a thorough audit of cyber security, taking action to ensure that vulnerabilities are addressed. This may well require additional investment in advice and services from specialist security providers. In the current environment, with the volume and severity of cyber attacks increasing all the time – this is a cost of doing business.
Equally crucial to the security of the firm is the culture instilled by management. Senior partners need to promote awareness of cybersecurity and the inherent risks. This can be achieved via a progressive approach to education that focuses on training staff on how to identify potential threats and minimise risks, including things to consider while working from home
Shieldpay’s Head of Financial Crime, Metkel Asfaha, shared his thoughts on the challenges. “Having firewalls and robust controls will come to nothing if staff are unaware of these risk types. The best step a business can take to mitigate Cybercrime risks, is ensure all staff have been appropriately trained on how to identify them”.
Join forces with other firms
To further help firms protect themselves, the The National Cyber Security Centre (NCSC) and its industry partners have launched the ‘Legal Sector’ group on the free Cyber Information Sharing Platform (CiSP).
This is a joint industry and government initiative set up to exchange cyber threat information in real time. It enables UK legal firms to share information about cybersecurity in a secure, confidential and dynamic environment, increasing situational awareness and reducing the commercial impact of attacks. You can join here.
Generally, legal firms are data controllers, and as such, they handle huge volumes of confidential information and client monies on a daily basis. Developing a robust understanding of cybersecurity risks is no longer a nice-to-have – it’s a commercial necessity, particularly in a post GDPR world. In truth, cyber security is more than an IT issue; it’s a strategic risk management issue with implications for the wider firm.
Shieldpay's platform is designed to provide transparency, with the highest levels of security to ensure that funds always end up in the right hands. Email Ciara Snowball or head to our Professional Services page to find out more about our service for firms.