Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Page Properties
hiddentrue
idKH_PropertyPage

Area

Legal

Page Type

Content Page

Page Name

Cyber Security and the Legal Sector

Last Updated

29/01/24

Update Notes

Reviewed

25/06/24

Reviewer

JC

Next Review

25/06/25

The below will appear on the Refined page at targetURL Cyber Security and the Legal Sector

Excerpt
nameMain_Content

The legal sector - an attractive target.
The National Cyber Security Centre has identified that the legal sector is a top target for cyber criminals, it is not difficult to see why. Law practices hold large amounts of sensitive and confidential client information, they handle large amounts of clients' money, and they are key enablers in business and commercial transactions.

Like most modern business, more and more legal services are being offered digitally and coupled with remote working and using personal devices for work, the opportunities and avenues for cyber-crime have never been greater.

Phishing is the most common cyberattack affecting the vast majority of sectors and law firms are no exception. This is particularly prevalent in areas of practice such as conveyancing. A particular scam which is targeted at law firms is regularly reported in the media and often called, 'Friday afternoon fraud'.  It involves new home owners, about to complete on their sale, who receive an email or phone call from someone they believe is their solicitor.  This person advises them that the bank account details for the large transaction of buying their home have changed and they need to pay the money into a different account. Sadly, they realise afterwards that the money never went through to the solicitor at all and that they have been victim to an all too common scam. 75% of cyber-crimes reported to the Solicitors Regulation Authority are 'Friday afternoon fraud,' and a recent poll of law firms showed that approximately 80% have reported phishing attempts in the last year.
Data breach and Ransomware are the next most common cyberattacks for law firms with hacktivism (the act of hacking, or breaking into a computer system, for a politically or socially motivated purpose) a growing threat to those firms who might be linked to politically or environmentally sensitive cases.

To a law firm, a good reputation is paramount. Serious, trustworthy, professional and law abiding are all part of their brand. The loss of client information can have a devastating impact on a sector that has confidentiality at the heart of its business.

The Security gap

It is clear that the legal sector is aware that they are high risk targets for a cyber breach, and they acknowledge they have plenty to lose, yet many practices are not taking sufficient steps towards protecting themselves. What are the barriers?

Cyber Security is not an IT problem
Legal practises vary in size from huge multi-national organisations with thousands of employees, making a revenue of millions, to a sole practitioner in a small country town operating out of a single office with just a secretary. The majority of law firms are small or medium sized enterprises (SMEs) and like most SMEs they often outsource their IT and mistakenly assume that cyber security will be managed by their IT supplier. Unfortunately, that is often not the case.  While many IT suppliers will ensure your systems are secure, this is not the case in many providers.  In addition, Cyber security is not just IT, it is a critical business issue that is intertwined across all elements of the organisation.

Cyber Security is a culture nurtured by senior management
A typical lawyer will spend their long training and most of their career learning about law, perhaps only starting to manage when they are put in charge of a team or a department.

Most law firms don't have specialist managers and many don't have a chief executive officer who drives the business through leadership. Instead large legal practises can be quite complicated organisations with a range of different departments which generally operate in a very siloed way. There may be multiple decision makers within a business and the leadership conducted through a board or a collective of partners who may have competing objectives. Even for a practise with one managing partner who leads the company, that partner is usually also practising law and will be extremely busy and distracted by other things they might consider to be more important than cyber security.

Busy putting out fires
On any given week, the average law firm is being challenged by a constant flow of anti-money laundering regulations, new solicitor's handbooks, the ever-changing rules in every area of law and trying to keep on top of the practicalities of implementing all those changes. The impact on the IT department who are rapidly adapting their technology platforms to accept these new rules means that just keeping everything up and running to earn money, is always more urgent and always more important than planning to protect against cyber threats. In a business that charges out its services in 6 minute units, no one wants an extra password, or time consuming staff cyber awareness training, or multiple changes to working practises. In a law firm, lawyers are remunerated for generating fee income, not for preventing a cyber attack and unfortunately, this can leave a cyber attack as something to be urgently addressed only when it happens.

Institutions of tradition
Many small legal practises are steeped in tradition and they might have done business in a similar way for years. Those in the industry talk of a strong 'it won't happen to us belief' and this might be easy to perpetuate due to the fact that those firms who do face an attack are loath to say anything about it.

Government approved scheme not prioritised 
The Law Society has Lexcel as it's legal practise quality mark for client care, compliance and practise management.  The Lexcel standard recommends that Law firms 'should' get themselves Cyber Essentials certified, however, it does not stipulate that the firm must get it.  For one reason or another, many law firms decide to write the document to justify why they think they don't need it.  

What should your Law firm be doing?
Jennifer Williams sets out some simple guidelines for Legal firms.

  1. Certify the basics, gain Cyber Essentials.  This helps provide reassurance about your cyber security credentials to the business and, just as importantly, your clients.

  2. Audit your IT team or provider.

  3. Implement DMARC. (Domain based reporting and conformance is an email validation system designed to protect your company's email domain from being used for email spoofing, phishing, scans and other cyber-crimes.)

  4. Much of your cyber security posture is publicly searchable. Find out what criminals can see about your firm.

  5. Train your staff.

  6. Test response plans (how would your firm cope if attacked)

  7. Encrypt important emails.

...