Cyber crime is absolutely everywhere now and the legal profession is at particular risk from being targeted. That’s because of the sensitivity and the value of the data that legal firms hold on their personal clients, commercial clients, and clients in the public sector.
Four-and-a-half million cyber-crimes took place in England and Wales in the last recorded period, according to the Office of National Statistics. Surprisingly enough, that figure was actually down on the previous year with the improvement being credited on more sophisticated anti-virus software and greater public and commercial awareness of the issue.
However, cybersecurity is an ongoing arms race with two equally motivated opponents in constant battle with each other – the criminals trying to get into your computer and the companies trying to prevent them from doing so. Around three quarters of all cyberattacks are fraud related – in 2017, a total of £130 billion was stolen from 17 million UK citizens, according to the Guardian.
In 2019, what do the cybersecurity team here at Sprout IT believe are the most persistent ongoing threats for the year and what do they believe are threats on the horizon?
Hacked email accounts are a point of particular vulnerability for legal professionals. The Texas Lawyers’ Insurance Exchange issued members with a warning that extra care should be taken by solicitors and barristers if they receive an email with an attachment from someone they appear to know where “something does not feel right”.
On their advisory page, they included an example of one such email on which the cyber criminals placed a fake telephone number for the lawyer whose identity they were spoofing. When the number was called, the person on the other end of the phone insisted that they open the document straight away and that the document was safe.
Thankfully, the legal professional involved trusted their instinct and spotted this as fraudulent.
Spoofing describes the situation when a cybercriminal disguises their true identity behind another identity which is trusted and known by the people or companies they are targeting. Emails can be spoofed as can caller identification systems, IP address, websites, DND systems, and address resolution protocol systems.
Spoofing is used to obtain information which is either confidential and/or financial from third parties to impersonate you or your firm – this is the technique which has been used to great success by criminals in conveyancing fraud.
Ransomware has been around for decades however it really hit the headlines here in the UK with the WannaCry attack. The attack was worldwide but, here in Britain, it exposed the vulnerabilities of the NHS’s IT systems in particular leading to a few days of organisational chaos.
Ransomware blocks access to a computer and/or the information stored on it until a sum of money is paid to the criminal gang controlling the ransomware. This is a particular threat to legal firms and the best-known attack on a firm in this sector was the attack on DLA Piper in June 2017 (source: Fortune).
Although no data was taken and there was no breach of client confidentiality, the company was forced to shut down parts of its digital communication systems for a number of days. A large number of staff were informed by the company’s IT managers that they should not switch their computers on at all until the crisis was resolved and many colleagues had to communicate with each other during the disruption via text message.
If your firm falls victim to a ransomware attack, avoid paying the ransom for as long as you possibly can and contact an IT firm with file recovery expertise to help manage the situation.
Consequences of poor cybersecurity arrangements
In January 2018, security firm RepKnight reported that it had found a database containing 1,159,687 email addresses from top 500 UK legal firms on the Dark Web - an average of 2,000 a firm. 80,000 of the email addresses were from the Magic Circle and one of the larger firms on the database had over 30,000 of their email addresses compromised. 80% of the email addresses discovered also contained information on those email addresses’ passwords.
Security experts worry that this information could be used by criminals in a variety of different ways from spear-fishing attacks (a specialist type of email spoofing whose purpose is to use false credentials to find out company trade secrets or for financial gain) or to hack into online banking or social media accounts (the reasoning behind this being that most people use the same password to gain access to multiple online services).
The Law Society Gazette reported that one of the country’s largest Legal Aid firms, Duncan Lewis, employing more than 420 staff, suffered a data breach which culminated in the posting of some of its employee and client contact data on Twitter. This followed on a few months after Anthony Gold Solicitors was hacked leading to the sending of 16,000 emails to client urging them to open a suspicious attachment (source: The Law Society Gazette).
These incidents are worrying enough. After all, solicitors’ practices and barristers’ chambers require the ongoing trust of clients to continue operating and the loss of information through poor cybersecurity has always posed a particularly serious threat of reputational damage.
However, this may be the least of their concerns as legal firms whose IT systems and internal practices are not robust enough to cope with cyber attacks may themselves be in danger of having legal action taken against them.
This happened to Johnson & Bell, a legal firm serving clients in Indiana and in Illinois, whose clients (present and past) joined together to sue the firm over "alleged negligence concerning the insecure handling of confidential client information" (source: Jefferey Katz on LinkedIn Pulse). Surprisingly, the company had not actually experienced a breach however one client alleged that their current cybersecurity arrangements had “numerous vulnerabilities” which left them exposed.
Be cyber-aware with Sprout IT
Sprout IT provides high quality legal IT support, cloud & consultancy for the legal industry, 24/7 service, 365 days. We have been promoting data security and utilising the best cyber resilience technology and techniques, since we began. We believe in building and testing the most suitable technology products and solutions for each of our clients. That's because building your cyber and reputational resilience is critical in Legal IT.
To speak with one of our team about protection for your solicitors’ practice or barristers’ chambers against the growing threat of targeted cyberattacks, please call Sprout IT today on 020 7036 8530 or email us.