The legal sector is, for obvious reasons, a constant target of the criminals – with manipulating email communications in various ways still a favourite method.
The reality is that more cyberattacks in the UK are happening this year than ever before and the NCA warns that as tactics shift, criminals are becoming increasingly sophisticated in their methods.
But however sophisticated the criminals’ techniques, law firms must not take their eye off the email risks. The regulator has recently issued a report showing that email continues to present a significant risk area to firms. In its latest Risk Outlook, the Solicitors’ Regulation Authority says phishing and ‘email modification’ frauds make up half of all the cybercrime reports it receives. In 2021, more than eight in 10 reports of cybercrime it received involved email.
Ransomware and more
The NCA has also singled out the “significant” growth in high-profile ransomware campaigns in the past year. This is a development also recognised by the SRA, which warns that a particular type of ransomware attack - where criminals access sensitive client information – will increase.
In fact, on the ground it is already increasing. In 2021, the SRA received a relatively few 18 ransomware attacks – a level kept low because ransomware only encrypted data without leading to a reportable breach. However, advances in ransomware mean attacks can now encrypt data and steal it – with serious implications for firms (who face ransom demands) and client data.
This is not only happening already, but the SRA warns that “file stealing will become a normal part of how ransomware extorts money.” It also predicts ransomware becoming even more sophisticated, involving both random and intentional attacks.
However, firms are warned against giving in to ransom demands: this July, the NCA asked law firms not to make ransomware payments. It made clear that doing so will not keep data safe; and it would not be considered by the Information Commissioner’s Office (ICO) as mitigation in any regulatory action.
Most solicitors know that the conveyancing sector has, for years, been the target of choice for criminals – but if you’re not working within the property sector, don’t be tempted to relax – the criminals are apparently broadening their horizons. The SRA talks about attacks on third parties and providers already taking place. It cites, for example, compromises at an IT service provider and, separately, at a barristers' chambers which have spread to many firms of solicitors.
The tactics being used to target the legal profession are also increasingly sophisticated. There are, for example, reports of voice impersonation systems being used (though these tend to be targeted attacks rather than more general opportunist attacks). The picture is of an environment where law firms must work hard to keep one step ahead of the criminals.
Is an attack inevitable?
No, cyber-attacks on law firms are neither inevitable nor to be expected (unless you have a lackadaisical approach to cyber risk). With regular and effective risk assessments; strong policies and procedures; and implementing robust protection with specialist support, firms can keep the risk of an attack to a minimum. The regulator encourages having “the right culture, systems and training” and offers guidance on working to achieve this.
It’s also important to remind law firms of the new risks presented by the covid-induced surge in homeworking and hybrid working. These changes in working pattern have necessitated increasing reliance on IT, in turn requiring increased vigilance on the part of firms. For example, are lawyers permitted to use company laptops for domestic and social use? Are they encouraged and trained to lock their devices when not in use? Is their device and software security/anti-virus protection effective and up-to-date?
It is well known that cybercriminals are becoming increasingly sophisticated in their tactics. Even so, firms would do well to keep the humble email central to their firm-wide risk strategy; because the regulator is expecting that the criminals will continue seeking “easier targets” – ie those involving email.
We strongly urge firms to take these warnings seriously to avoid the risk of reputational and financial damage; and to make the most of the practical resources available.
The Law Society cybersecurity guidance and support