Cyber Security within the Legal Sector
In July 2018, The Law Society and the National Cyber Security Centre released a joint report outlining the threats to the legal sector. The report confirmed what most of us working in the sector knew – that the industry has a low level of cyber maturity meaning that weak controls on one side, and the lure of client funds on the other, makes it an attractive target for cyber criminals.
The resulting impact is seen in the statistics published in the report: more than £11 million of client money was stolen by cyber criminals between 2016-17 and 60% of law firms admitted suffering from an information security incident in 2017 – an increase of almost 20% on the previous year – with ransomware being a particularly prevalent method of extortion.
Despite the existence of a number of helpful security frameworks and guidance – some of which are now on their second or third iterations – the legal sector remains slow to adopt these. The continued use of paper and coloured ribbons, in combination with the love of traditional processes and lower levels of automation has not prevented solicitors from being targeted by cyber criminals. Indeed, the reluctance to accept processes or procedures which might ‘get in the way of the business’ and the strength of personality from certain partners ‘to get things done’ can lead to a culture within law firms where security controls are weakened or not adopted, thereby further increasing the likelihood of attack.
As a specialist information and cyber security consultancy, one of the greatest vulnerabilities we’ve encountered is where C-suite executives and similar VIPs request security controls are relaxed to make their working lives easier. This is exploited by either lucky hackers (executing a ‘drive by’ attack) or those who are more persistent, using the large social media footprint that some executives leave, to specifically target individuals into clicking a phishing email. Once malicious code is installed or a user’s credentials are re-entered into a fraudulent site, the expected IT controls are effectively circumvented, on the basis of – supposedly – making the lives easier of a select group of individuals.
Written by E.Spenwyn