It can’t have escaped your notice the spate of highly publicised cyber attacks hitting the legal sector, Ward Hadaway, The Bar Council and Bar Standards Board and Tuckers have all been crippled making firms sit up and take notice.
Types of attacks hitting the legal sector
In the world of cybercrime Law firms’ data is a highly valuable tangible commodity. A survey on all business sectors by Aon insurance demonstrated that professional services attacks make up 25% of all claims. The modus operandi is usually they get in, steal law firms data, sit and wait, encrypt the systems and threaten to release the stolen data unless the ransom is paid, otherwise known as double extortion. Whilst you may be able to restore your data from backups it is too late to stop the data from getting into the hands of criminals and potentially into the public domain.
Although larger firms are not immune, smaller firms who may have lower cyber security maturity are ones who are mainly being exploited, companies with 1,000 or fewer employees represent 81% of attacks.
Other common attacks originated in conveyancing – Business Email Compromise (BEC) the hackers get access to your emails, find invoices containing payment details doctor those details resulting in payments going to the hackers not to the intended recipient.
This is subject of a High Court case in relation to a Constable painting, intercepted emails sent between Rijksmuseum Twenthe, in the Netherlands, and London art dealer, led to £2.4m being sent to a bank in Hong Kong, the case is about who now owns the painting.
How cyber criminals gain access to our systems?
Hackers have long-established methods of gaining access, the most common methods are:
- Phishing
- Malware
- Vulnerability exploits
- Brute-forcing an RDP server
- Stolen credentials
Phishing is by far the most common way to access a system. Once in they’ll assess and exfiltrate all your most valuable sensitive data as this has more value. The hackers will either take your data over a period of time whilst you’re unaware they are in your systems then encrypt everything or they’ll get in, encrypt everything to lock you out and start downloading.
Pay up or get breached
As they claim to have all your data and client files the hackers now threaten to leak it if the ransom isn’t paid. Imagine the sick feeling in the pit of your stomach if they were to publish the stolen data for all to see…. Knowing how valuable that data is to you gives the hackers additional leverage to collect ransom payments.
The current fate of Ward Hadaway solicitors, hackers currently demanding $6m in bitcoins to halt the release of client data.
What are the consequences?
Even when you’re back up and running the list of long-term knock-on effects can last YEARS!
- Financial cost of the impact and recovery.
- Reputational damage – will your clients trust you with their data?
- Regulatory fines – the wrath of the ICO and the SRA
- Legal action – from all angles, breach of contracts and being sued by clients.
We’re ok – we have our own IT
There is an often an over reliance and blind faith in your IT department or outsourced provider, like Law with its many areas of specialism, IT is no different. There is a big difference from IT helping supply laptops and case management logins and ensuring everything runs smoothly to ensuring you have the appropriate security and cyber security in place for your firm. Cyber Security is not an IT issue and unless you have a dedicated cyber security department you are leaving yourself vulnerable having faith in your IT department, a different discipline than Cyber Security. The question is how can you protect your firm?
How can we protect ourselves?
Partners need to think when the firm will be attacked not if….hackers only need to get it right once, you need to protect your data every time.
It’s a big subject area but here are some basics which can help bolster your defences:
- Enable 2 factor authentication – this means you login with your password and also have to enter a secondary pin code generated using an app such Microsoft authenticator or receive a secondary SMS. Cloud based systems, Case management systems, LinkedIn etc all support it, then should anyone try and login using your password, you’ll be notified.
- Back up your data – ensure you have a copy someone separate from any cloud systems
- Install Anti-virus software – ensure auto updates are on this will reduce likelihood of viruses getting onto your devices.
- Software patches – ensure your devices (phones, tablets and laptops) are set to auto update for example Windows, IOS.
- Passwords – Change default passwords on devices, use 3 words and NOT predictable such as password123 or commonly guessable passwords such as your children’s names
- Training – Cyber awareness training for all your staff to ensure they can spot things like phishing as it’s the MOST common way hackers get into your systems, by clicking on a link or downloading something nasty. Phishing can be via emails, texts and someone contacting you by phone, your staff need to spot it
Emma Green Managing Partner of Cyber Data Law Solicitors
Join nearly 5,000 other practitioners – sign up to our newsletter
