Why are legal firms such attractive targets for hackers?
- November 21, 2017
It’s not difficult to see why law firms are prime targets for cyber-attackers, given how much valuable personal, business critical and commercially sensitive information they hold. A firm specialising in, say, commercial property and dealing with funds transfers could provide a highly profitable source of information for relatively little outlay for a determined hacker. In fact, ‘Friday afternoon fraud‘ where law firms are tricked into giving bank details to fraudsters, most commonly during the completion of conveyancing transactions, is now the biggest cybercrime afflicting the legal sector.
1 in 5 UK law firms targeted by hackers last month
And while this obvious vulnerability could lead many to believe that firms are braced for such attacks, new research suggests otherwise. A recent report, reveals that a fifth of UK law firms have been targeted by hackers in the last month alone. This isn’t a small group of poorly protected businesses, either: The Law Society found that 65% of firms have been a victim of a cyber incident at some point.
Prepare – or be doomed
Firms need to be prepared for the increased threat cybercrime poses to their practice – something that London School of Economics cyberlaw lecturer Mark Leiser warned earlier this year: “a law firm that relies on passive defences [such as a mitigation plan in case of an attack] is doomed.” Sobering words, indeed, yet according to The National Cyber Security Centre, only 35% of law firms have a mitigation plan and even fewer have active defences which detect cyber-attacks before they happen. Awareness and resilience within the legal sector clearly doesn’t match the threat or the potentially catastrophic consequences of such an attack.
The aftermath of a cyber-attack
So, what ‘doom’ might ensue? A cybersecurity attack may compromise a company’s infrastructure, its data –including that of its customers, its functionality and also its reputation. If that wasn’t enough, when the EU’s General Data Protection Regulation (GDPR) comes into force in May 2018, the penalties for failing to prevent such breaches will be high: for serious violations, there will be maximum fines of €20 million or 4 per cent of annual turnover.
Ensure you have cyber security expertise
It is clear that those in the legal sector must not be complacent about security or assume that they are safe from the potential risk. We can assume that as we look to the future, cyber-attacks will only get more sophisticated. Cyber-security really does need to be a board-level priority and employees across all levels of a company should receive regular training about its importance so that there is a culture of compliance. Crucially, there must be the technical ability and procedures in place to detect, report and investigate a breach. Businesses must examine whether they have the in-house skill sets to protect themselves and their clients, rather than finding out in the worst possible way that they are woefully underprepared. The NCSC’s guide ‘Ten Steps to Cyber Security‘ is a useful starting point. However, it may be the case that businesses need to seek the advice of expert IT providers or hire more talent to ensure that the proper technical measures are in place. Going forwards, some firms will look to refocus their hiring strategies to ensure that they have cyber security specialists at hand to provide ongoing and up-to-date expertise, but these individuals will be highly sought after. Regardless of how this bolstering of security takes place, it is clear that doing so is imperative: firms that fail to do so are leaving themselves extremely vulnerable to very serious consequences.
Is your firm prepared for the growing threat of hacking and cyber attacks?
Take a look at some of other blogs to gain more insight into the legal sector