The legal profession and cybersecurity—Are you protected?
Cybersecurity filled the headlines of 2018, with large mainstream companies such as Facebook, British Airways and FIFA all experiencing catastrophic security breaches to user’s data and sensitive business documents. Alongside the headlines, May 2018 also saw the implementation of new data protection requirements under new GDPR, which increased businesses need for protecting their client’s data. As the hidden risks of cybersecurity begin to breach the surface, in our recent Is Your Tech Smart? report, LexisNexis uncovered that law firms feel cybersecurity is the third most urgent challenge they are facing.
By nature, the legal profession is a sensitive line of work making them attractive to cyber criminals seeking things such as client information, case documentation and, among other things, funds for commercial and business transactions. PWC revealed that in 2017 alone, 60% of law firms reported information security breaches, which was up from 42% in 2014. With increasing number of these instances being identified, it’s clear that the UK legal sector is experiencing significant and growing cyber threat.
Cybersecurity threats can sometimes be motivated by information gain, for example nation states wanting to gain access to information which will give them a strategic or economic advantage. these threats are often financially motivated—this especially applies to the legal profession. As a profession, which values financial reputation, this can be significantly injured by cyber attacks making it hard to repair reputational damage and regain public trust. In 2016-17 for example, the SRA reported that more than £11m of client money was stolen due to cyber crime. As well as the legal sector having a high financial turnover, smaller firms are often seen to be an ‘easy target’, due to their significant fund holdings, but patchy cyber protection resource. They also usually have a small team managing the entire businesses infrastructure, with limited IT resources.
Cyber criminals are known to use a variety of methods to hack into security systems and retrieve the information they need. The Law Society identified in a June 2018 survey the top three types of attacks being witnessed by law firms. Phishing emails was one of the biggest concerns with 81% of those surveyed suffering from hacker attempts to obtain financial or confidential information through sending fraudulent emails to people at the firm. These emails are often be difficult to spot due to ‘spear phishing’— emails which are personally targeted emails which and may include some readily available information about you, such as your name or place or work etc.
A study at the University of Twente, which send out approximately 600 fake emails to its faculty members found these emails to be so dangerous because: ‘people tend to presume that another person’s communication is honest. This has to do with truth bias, people’s basic desire to believe what they hear and see’. Following on, the Law Society also identified 53% of surveyed firms had been exposed to spoofing, whereby a hacker attempts to get financial or confidential information through third parties by impersonating your firm through sending emails or hosting a fake website. Often, when ‘cyber crime’ is mentioned, one thinks of viruses, spyware or malware attacks—which are malicious software designed to perform damaging operations on a computer, but surprisingly only 47% of surveyed firms reported attacks via such methods.
Concern over cybersecurity is growing in the legal sector, with more and more firms are asking themselves the vital question of ‘Are we prepared?’. The National Cyber Security Centre (NCSC) has outlined a ten step guide for board members to help them ask the right questions about their firm’s cybersecurity. LexisNexis also offers a Cybercrime risk assessment precedent which can be used to help ‘identify your critical IT/data assets, consider the most likely targets and potential types of attack, and pinpoint effective defenses against those specific types of attack’.
We have identified 3 top tips for attempting to mitigate these risks (please do not rely on these tips as legal guidance).
Always be aware of human error—although technology can be sophisticated, it is always subject to human error. Although many believe perceive cybersecurity as a solely IT issue, however, ensuring all your staff, not just fee earner and the accounts team, are trained on the dangers of cyber crime will help mitigate this risk. The government offers a guide to ‘securing your information’ to help you educated your workforce on protecting data.
Protect against phishing—as highlighted, phishing emails are the number one worry for the majority of law firms. The NCSC suggests a multi-layered approach starting with, making it difficult for attackers to reach your users, helping users identify and report suspected phishing emails, protecting your organisation from the effects of undetected phishing emails and responding quickly to incidents. The Centre also notes that larger law firms should take this further by implementing processes to verify (via independent means) invoices and account details for money transfers, using ‘cooling off’ periods for changing account details for high value transactions and encouraging a culture where suspicious transactions are queried and rushed or improperly validated payments are refused, among other things.
Understand the technologies of your market place—by keeping up to date with the new technologies around you means you’ll have a wider grasp on threats and security. Regular meetings should be held with suppliers, as well as attending other forums and exhibitions to keep abreast of what is happening and available in the marketplace.
With technological advances only growing across the globe, these cybersecurity threats are bound to develop and evolve over the next coming years. The risks to cybersecurity are definitely not going away, so law firms should make sure they are protected.
For more guidance and support on compliance, find out out LexisPSL Practice Compliance here.