The risk has never been greater since the full-scale shift to homeworking prompted by covid-19 which has increased the cyber exposure.
There is encouraging evidence, in the face of this risk, that the legal sector recognises the scale of threat. According to the latest PwC law firm survey (2021), 90% of the UK’s top 100 law firms view the cyber risk as the biggest threat to future growth and are “extremely concerned” at the extent of cyber threat in the next 12 months. Reducing the cyber risk has become the third highest priority for firms (up from seventh in 2020).
Cyber security is undoubtedly a key challenge for the legal sector, targeted for the abundance of sensitive data and dealings with large sums of client money. Now, increasingly sophisticated methods using ransomware are being deployed by criminals.
This September the leading London commercial set, 4 New Square chambers, secured an injunction against ‘persons unknown’ following a hacking incident in which anonymous criminals used ransomware to threaten to disclose stolen information.
And just this month (October 2021), the SRA said that a solicitors’ firm has recently been hit by a phishing scam (where emails are effectively a delivery model for ransomware via a malicious attachment).
Ransomware is malware which blocks targeted computer systems and networks, then sends a demand for cash in exchange for unlocking them. ‘Double-extortion’ ransomware targets the data first, then encrypts the network; then a second ransom is demanded in return for not publishing or sharing the stolen data. Out of 1,200 double extortion ransomware incidents in 63 countries last year, more than 60% were reportedly UK and US targeted.
Lawyers would do well to note the warning sounded in a recent US report of a change in approach on the part of cyber criminals. The report, just published by cloud-based eDiscovery firm Everlaw, says seven law firms fell victim to cyber breaches from ransomware software and hacking group Maze and Russia-based hackers REvil. It states that the attacks “highlighted a stark change” in how hackers have usually operated. Both groups employ double-extortion malware to target businesses – and they have the resources to grow their ambitions and cause serious damage.
The Maze campaign against law firms began in early 2020 and culminated in the criminal group carrying out their threats to release sensitive client data information if a ransom was not paid. This new tack, explains the report, moved from the usual modus operandi of threatening to block data to actually releasing data. REvil took a similar approach.
The increase in lawyers and other employees working from home has undoubtedly increased the cyber risks for firms and this risk is not going to be abated any time soon. As the UK adapted to the pandemic environment, many firms introduced flexible working-from-home policies or hybrid models of working – expecting lawyers to be in the office some days but allowing them to work from home on other days.
Facing the risk
At the time of writing, the government is facing pressure to reintroduce further restrictions against the backdrop of rising covid-19 cases and warnings that the NHS faces a profound crisis. If restrictions are reimposed, this is likely to mean working from home again where possible – as in previous lockdowns. Cyber criminals will exploit these shifts in working patterns, finding ways to identify vulnerabilities and infiltrate tech systems - increasing the risk of hacking.
Regular risk assessments will continue to be vital. Firms would be wise to consider the latest most effective security solutions and use multi-factor, single sign-on and third party authentication where sensitive information is to be accessed.
Firms should also consider simple but no less effective ways to minimise the security risk. These could include implementing policies prohibiting any remote working in public places and using a public wifi; and banning work communications from being conduct via personal devices.
Firms should also formulate a robust response to potential ransomware attacks and detail any such response in a document.