Legal firms, large and small, are very attractive targets to cyber-attackers for a number of different reasons, the three most important of which, according to the National Cyber Security Centre and the Law Society.
Some of these reasons are:
- sensitive client information,
- access to the significant company and client funds often held by solicitors’ practices and barristers’ chambers (£731,250 of client money was lost between January and June 2019 )
- and the commercially confidential information they hold on corporate clients
From Sprout IT’s general work with partners and IT heads in the legal sector, we can see how many of you genuinely appreciate the seriousness of the current threat in being the victim of a cyberattack.
You are right to be – 60% of UK law firms reported “suffering an information security and data loss security incident in 2018”3 . In 2019, the situation worsened further. According to Crowe, KYND, and University of Portsmouth’s Centre for Counter Fraud Studies’ 20194 report into the preparedness of British legal firms against information security and data loss security incidents, the following was found:
- 91% have either had their website address or email servers spoofed
- 80.5% of firm’s IT systems featured one or more hardware or software component with a well-known vulnerability whose presence could be exploited by cyber-attackers
- 21% of legal firms’ IT systems (including the devices connecting to those IT systems) used software which was either out of date or which was no longer supported by the vendor
- 23% of companies in the legal sector had one or more security certificate which had either been distrusted, revoked, or had expired – preventing clients and other stakeholders from being able to connect securely
- 79% of firms had one or more website domains not registered to the company but to an individual – a significant red flag over future control of those domain names and the ability to continue to trade with them
The National Cyber Security Centre and the Law Society go on to warn that, although most attacks are currently financially motivated, cyberattacks are now being used by governments for “gain strategic and economic advantage”. But how cyber resilient are British law firms? In recent weeks, we carried out a survey of a select group of solicitors’ practices and barristers’ chambers and, in this white paper, we present the results together with the latest advice from our experts on building in cyber resilience to your legal organisation.