The threats posed by Cyber Attacks in the Legal Industry

16/10/2019 | Daisy McElherron

There are 4,000 cyber attacks every single day, this is 170 an hour, 3 attacks every minute (CBS News). Over the years there have been a greater awareness that law firms need to increase their levels of cyber maturity and resilience, with reports suggesting that 73 of the UK top 100 law firms regularly being targeted by cyber criminals (CYFOR blog).

There are 4,000 cyber attacks every single day, this is 170 an hour, 3 attacks every minute (CBS News). Over the years there have been a greater awareness that law firms need to increase their levels of cyber maturity and resilience, with reports suggesting that 73 of the UK top 100 law firms regularly being targeted by cyber criminals (CYFOR blog). Law firms hold large volumes of personal and sensitive information about their firms, employees and clients within their matter management processes. This makes law firms highly attractive targets for cyber criminals. It doesn’t matter how big or how small the law firm is, the threat applies to all law firms of all sizes and practices. The American Bar Association 2018 stated that law firms are

“custodians of highly sensitive information, they are therefore inviting targets for hackers and are facing a major professional responsibility and liability threat facing the legal profession.”

From 2019 onwards, it is intended that senior decision makers in the legal sector encourage the adoption of cyber security practices. The issue of cyber security risk must be embedded within business strategy as operational risk would, it should be a critical priority.

There are a number of cyber threats that law firms face on a day-to-day basis and should be more aware of due to the effects such threats could pose to the law firms.

Regular threats that are faced in the Legal Industry include:

1. Phishing

Phishing is a type of social engineering where attackers trick users into disclosing confidential information or clicking on a threatening link (TechTarget). They more than likely arrive by email, however, they can also be conducted via text, social media or by phone. Phishing attacks can target not only law firms, but their clients also. They do so by sending emails that look like legitimate company emails to trick clients into sending personal or confidential data to the hackers, believing they are sending the information to their trusted law firms.

This is not a recent phenomenon and has been going on for years and it is still on high alert as causing a continuous problem that needs to be resolved. The World Trademark Review 2019 (WTR) stated that from April to July 2019, 32 phishing attacks occurred in law firms over this three month period. The Solicitors Regulation Authority 2019 also observed that of the 52% of law firms that have experienced some kind of cyber attack, 80% of these cyber attacks being phishing attacks. These two sets of figures highlight the strong threat that phishing attacks pose to the legal industry. According to Osterman Research (ABI), it is evident that hackers are becoming more successful in their attempts to attack law firms and the firms information over the last number of years. Their knowledge and ability to do so is becoming more effective as time in the digital age goes on, further creating a greater need for the legal industry to have solutions in place to prevent cyber attacks such as phishing.

2. Data leakage/breach

A ‘Data Breach’ is the loss of critical and confidential internal/client information. The loss of such information includes a law firms data which can have a potentially devastating impact on confidentiality, which of course is at the heart of a law firm's business model. Data breaches are classified into a number of types, all of which law firms face at some stage of existence. There are different kinds of data breaches that law firms are faced with.

Insider threat of information leakage:

This means that the cyber threat originates from within the law firm itself where people have easy access to all the sensitive information stored. An insider threat can be either accidental or malicious. Some motivations for malicious attacks could be: sabotage, espionage, insider trading, activism and black market exchange, as claimed by IT Security Central (ISC). Malicious activities can include: the mysterious loss of external drives or device and/or the taking of data to blackmail and create their own firm. According to new security breach research, 75% of incidents are due to insider threats.

User Error:

When information is leaked or lost simply by mistake. Human Error can occur through the opening of emails or websites with malicious links which can result in the most damaging of cyber attacks or through the use of public wifi. Such individual error is incredibly costly and at times results in legal action.

Hacking:

One of the most common forms of data leakage, with 40% of law firms experiencing a ‘Hack’, with some not even knowing (Disruptor). Hacking refers to an unauthorised intrusion into a computer, network or system, an individual who does this hacking is called a hacker. According to Action Fraud NCSC, from 2016 to March 2018, 18 law firms reported hacking attempts, these were often carried out by sophisticated cyber actors or organised crime groups.

There are endless examples of law firms who have fallen victim to the cruel act of hacking. In March 2018, Duncan Lewis (Ciowater), UK based solicitors, had their customer data broadcasted on twitter via a folder, costing them high profile and high net worth clients. A similar thing happened with ‘The Panama Papers’- Mossack Fonseca (Lawyer monthly), an off-shore panamanian law firm was forced to close completely in March 2018, as a result of irreversible damage from more than 11.5 million documents being leaked to the public by an anonymous source. The documents revealed detailed financial data and other attorney-client privileged information, including Mossack Fonseca’s creation of shell companies for the use of illegal purposes. Many wealthy individuals and public officials were implicated by this hacking.

3. Ransomware

Ransomware is a type of malicious software (malware) designed to deny access to a computer system or data until a ransom (a sum of money demanded by hackers to be paid in order to regain access) is paid. Paying ransom, however, does not guarantee that you will get access to your stolen data and attackers may assume that you would be open to paying even more ransom in the future. Ransomware is designed to infect a user’s computer via drive-by downloads, email attachments and malvertising. A hacker identifies a vulnerability within an application and exploits in to send out the malware to the unsuspecting user, in this case, the law firm. As soon as the user encounters the malware, it copies itself into the computer and the hacker will have it programmed to look for the most strategic places to copy itself to create the greatest amount of damage.

Ransomware is becoming more and more common with statistics from The Cybersecurity Breaches Survey 2019 stating that 49% of businesses reported at least one cyber attack in 2016, and at least 39% of these were as a result of ransomware. Financial costs are not the only costs law firms have to worry about, firms can in fact be locked out their IT so they are unable to meet important client deadlines, access important files or pursue court dates.

One of the most famous examples of this occurring was DLA Piper law firm. DLA Piper suffered a ransomware attack in June 2017, with 200,000 computers being affected in 150 countries in the span of 24 hours. They had to shut down their digital operations around the world while dealing with the attack, including resorting to people by text. Nearly 2 weeks after the attack they still had not managed to regain complete access to emails sent or received causing great disruption.

At times, as a result of such an attack there is a risk that legal firms can be accused of malpractice against their clients. This was the case with Johnson and Bell. They were taken to court by former clients due to their lax cybersecurity practices. The National Cyber Security Centre revealed that UK law firms have lost £11 million of client money to cyber crime alone, reinforcing the fact that cyber crime does not only affect the firm but directly affects their clients also.

4.Supply chain compromise

Supply chain compromise is a cyber attack that seeks to damage an organisation by targeting less-secure elements in the supply network. Supply Chain attacks have increased by as much as 200% in 2017. In a law firm, such attack occurs through the exploitation of third party data stores or software providers. One of the biggest issues is when a third-party supplier fails to adequately secure the systems that hold sensitive data (Computer Weekly). The NCSC claims: “A law firm’s position in the supply chain can make them an attractive target for a cyber attack.” Cyber criminals can observe the process of a transaction and strike when money is about to be transferred. State actors can also target a law firms as a vector to gain access to corporate clients and their information (National Cyber Security Centre 2019).

Solutions to protect the legal industry against cyber threats

Phishing

  • Make it difficult for attackers to reach your users.
  • Staff education and formal business processes around opening certain emails.
  • Ensure the law firm is using a wide array of technical security tools and have these actively monitored by a cyber security specialist.
  • Protect your organisation from the effects of undetected phishing emails.
  • Respond quickly to incidents.

Ransomware

  • Protect devices and keep them up to date
  • Back up all important content.
  • Protect your organisation and business processes.
  • Ensure you understand what to do if you firm has been infected.
  • Carry out a cyber health check often, looking to find areas of potential vulnerability.
  • Consider putting in place hardware and software defences such as firewalls or Unified Threat Management device.

Data Breach

  • Manage security risks to personal data.
  • Protect personal data against cyber attack.
  • Detect potential security incidents and monitor user access.
  • Minimise the impact and limit data access.
  • Invest in a closed secure communications platform to protect sensitive information and client data against cybercriminals, such as SaltDNA.
  • SaltDNA works with law firms globally providing a secure and safe haven for law firms to communicatie confidential and sensitive information about critical events in real time through their award winning secure communications solution.
  • They can also use the SaltDNA platform to communicate securely with clients in regards to the legal matter at hand.

Supply chain compromise

  • Understand the risk to the legal sector and how it can affect the law firm.
  • Establish control over the law firm’s data and check over third-party partnership.
  • Continuous improvements, ensure all software is up to date and that third- party partners are aware of the supply chain compromise.

Free Trial

To find out more information on how SaltDNA could protect your law firm, or to avail of a free trial of the full solution contact our sales team on info@saltdna.com

About SaltDNA

SaltDNA, ranked in the top half in the Cybersecurity 500, provides a fully enterprise-managed software solution that enables absolute privacy in mobile communications. It is easy to deploy and uses multi-layered encryption techniques to meet the highest of security standards. The SaltDNA Desktop and Mobile apps are intuitive and easy to install and use. The SaltDNA Communication Manager provides a console for tight management of users and can be configured for the management of regulatory compliance. SaltDNA is headquartered in Belfast, Ireland, for more information visit www.saltdna.com.