A profession under attack
By Nicola Laver
Nicola Laver discovers how firms are dealing with heightened cyber threats amid the covid-19 crisis
When the country went into lockdown cyber criminals circled like vultures, targeting businesses within the first few weeks.
Personal data and business information is a precious commodity to cyber criminals who will seek to detect and infiltrate loopholes and weaknesses. As we know, law firms are a particularly attractive target.
The figures are eye-watering. According to analysts at business ISP provider Beaming, if you were to average out the total number of attempts to breach the systems of UK businesses, they would have experienced 177,000 each between April and June 2020. That equates to one attack every 45 seconds – a 13 per cent increase on the first quarter.
Meanwhile, the National Cyber Security Centre (NCSC) reported a fourfold increase in attacks during the first fortnight of lockdown (recent figures do not yet appear to be available).
What about law firms? Between January and March this year, cyber-security specialists BlueVoyant analysed thousands of law firms internationally. All had been targeted in attacks by threat actors.
Already a prime target in normal times, covid-19 has made law firms an even easier target as working and security arrangements changed. The criminals have been seeking out lower levels of security for exploitation, along with IT challenges and what the Solicitors Regulation Authority (SRA) describes as people’s “different mindset” when home working.
This is not simply a threat: by early April the regulator had already received specific reports about firms being targeted – including an attempt to create a standing order for £4,000 from client account. While the SRA does not yet have statistics, it confirms being made aware of firms being targeted early in the lockdown.
And it’s a dynamic situation. As the NCSC warns: “Malicious cyber actors are continually adjusting their tactics to take advantage of new situations.”
The shift to remote working with reduced physical supervision is a new and emerging risk for firms with individual staff members having differing levels of IT and security. One may have a home office with strong and secure broadband and be comfortable with their firm’s internal IT measures; while another may be living in a shared house, working from the dining table with weak broadband security.
As Paul Bennett, partner at Bennett Briegal, says: “The scale of the diversity of the challenge is, to use the cliché of these times, ‘unprecedented’.”
Jim Gee, national head of forensic services at Crowe UK, says cyber crime is “going through a dramatic step change” during covid-19 with law firms continuing to be a preferred target. “Law firms, like other professional services firms, will have had to move quickly to establish new ways of working, and in some cases, new remote working networks. These were often established – at speed – as the lockdown was implemented”, he comments.
“The risk is that cyber-crime protection may not have been maximised at the point when this happened and that controls, which may or may not have been effective in the ‘old normal’ may not work as they should in the ‘new normal’.”
Despite this, specialist insurance broker Lockton UK (which works closely with the legal profession) reports that the overall number of cyber notifications has not increased exponentially. However, James Harris, vice president at Lockton adds: “While there has been an increase in attempts on law firms, it is difficult to distinguish whether this is directly due to the pandemic or potentially because of a criminal’s belief that fee-earners working at home are more vulnerable.”
Bennett recently advised on data breaches '¨in two law firms (one was reported to the SRA). “In both cases the firm was using a skeleton staff in the office and the technological risks were not identified until it was too late. The supervisor and the support staff member communicated over instant messaging platforms”, he explains.
“In one case the message was misunderstood and the wrong papers went to the wrong client.” The papers included medical data (special category personal data for the purposes of the General Data Protection Regulations). He comments: “The misunderstanding was a straightforward example of trying to deal with too many issues in a single message as someone was unfamiliar with the platform.”
However, in the second case the device used to exchange the instant messages was lost, possibly stolen. Bennett says: “The firm had in place thorough encryption on the device, '¨a password to access the device and crucially, a remote ability to wipe the data held which was used. No report was needed to the Information Commissioner’s Office (ICO) and '¨SRA because the measures in place mitigated the risk and showed the client related material was not accessed.”
Early in lockdown, the SRA warned firms to be vigilant. Pete Riddleston, head of learning, quality and development at LawNet says the network has seen plenty of evidence through its interactions with member firms that they are aware of heightened risks.
“Fraud has been very much in our firms’ thinking throughout, largely because they’ve had to deal with the challenges of a rapid change to working practices with a remote, widely dispersed workforce. I know through the training sessions and discussion calls we’ve been holding with members that many have been evaluating existing procedures to ensure that these are still fit for purpose and updating them where necessary.”
This is where team meetings and supervision have been crucial, he says, together with training on procedures to combat fraud and cyber crime – particularly where new risks have been identified and procedures updated as a result.
Lyn Coughlan, risk and compliance manager at LawNet firm FBC Manby Bowdler (FBCMB), has found that “the usual tight controls we have on our network have been lessened with the use of wide scale VPN links via home broadband connections”.
She explains that despite network software to monitor when updates have taken place on individual devices, devices connected to the network via a VPN link cannot be monitored in this way and are more vulnerable to attack. “Like all businesses”, says Coughlan, '¨“we have had to find a way to continue with meetings, and as virtual solutions such as Zoom… have increased in popularity, this has brought with it new areas for fraudsters to infiltrate networks if robust security measures are not applied.”
Firms that already had robust training; had invested heavily in their IT infrastructure; and implemented tech suitable for agile working before covid-19 were in the best position to withstand the increased external threats.
FBCMB, for instance, worked with its IT hosted system provider to test the stability '¨of the platform and bandwidth with a sudden increase in connectivity outside of the network. It is continuing to work with that provider to increase security measures such as multifactor authentication.
All its lawyers have firm-issued laptops and mobile devices with security monitoring and tracking software enabled; and the firm’s remote working policy setting out its expectations when home working has been reviewed and re-issued.
“It is important to carry out a risk assessment for remote working and then review it regularly,” Coughlan cautions
Solicitors will always be a prime target for bad actors because of the sheer volume and type of data they hold. However, their clients are also a target, says Harris.
“This exposes any firm that does not identify when a fraudster has penetrated a client’s systems,” he warns. “It can be challenging to directly trace each incident back to homeworking without the client detailing the complete history with each notification – which they generally do not do.”
He adds: “We have seen an increase in social engineering with cyber criminals impersonating the client and attempting to mislead employees into transferring funds to the criminal’s bank account. Frequently, it is the law firm’s client that has originally been compromised, and the fraudster has then implanted into the electronic correspondence, which has gone undetected by the firm.”
There is also a growing threat to firms in the form of ransomware – malware designed to prevent access to a computer until a ransom is paid. Ransomware, typically spread through phishing campaigns, is a growing threat; and though recent high-profile incidents involved big names including Garmin and the Labour Party, it is a threat to firms of all sizes.
Sebastian Leggett, a cyber and technology executive at Lockton, says the main trend the company has seen during the pandemic has been a spike in ransomware events. “We have received exactly twice the amount of ransomware notifications compared to the same period last year (1 January until now)”, he comments. Small to mid-sized firms as well as larger firms are being targeted; and Leggett warns of more ransomware variants and an increase in blackmail attempts (with demands and payments of ransoms now running well into seven figures).
Gee confirms that law firms are being targeted by ransomware attacks, “with the complication that they were not sure if sensitive data had been stolen before their systems were encrypted”. Phishing is the key vehicle of delivery for ransomware (which of us has never received a phishing email with the subject head ‘charitable contributions’, ‘general financial relief’ ‘HMRC grants and support’ or latterly ‘fake cures and vaccines’ and ‘fake coronavirus testing kits’?).
Leggett says: “We certainly believe that bad actors are using the topic of covid-19 as a way to draw people into clicking on malicious links. Furthermore, we have seen transfers of funds as a result of the firm itself being breached, which is most commonly caused by someone clicking on a phishing link. Conveyancing transactions are a recurrent target.”
The firm is regularly notified of employees clicking on phishing emails, with the compromised account then distributing additional emails to gather more employee credentials. “If the matter is notified promptly”, says Leggett, “insurers may instruct IT forensics which can attempt to terminate the incident before it escalates. Existing weaknesses in a firm’s IT systems can be an issue and can, for example, allow a third party to transfer files.”
“The main weakness for any firm is its employees, which means educating people around phishing-type attacks is a crucial way to protect the company’s network”, says Leggett. He says one explanation for the increase in phishing notifications could be that training for staff has not continued while they work from home. He also warns that some firms having furloughed their IT staff can “pose numerous challenges, especially when system/security upgrades are delayed”.
Meanwhile, the SRA rules and regulations are impervious to covid-19. Solicitors’ compliance obligations remain unchanged, though in a statement issued early in lockdown the SRA said it will take a “pragmatic and proportionate approach” to compliance. But what might that mean in practice? The regulator confirmed its “focus is on serious misconduct and differentiating between those who have tried to do the right thing, and those who haven’t”.
It has also provided detailed advice and guidance in an online cyber-security Q&A (sra.org.uk/sra/news/cyber-security-qa), so firms who can’t demonstrate they took the steps required to minimise the risk of cyber crime and loss of data cannot expect a soft touch from the SRA in the event of a breach during the pandemic.
In Bennett’s view, both the ICO and the SRA “have reacted well when risks have been managed down and an isolated error occurs”. The regulators look for patterns, he adds, “so stopping the silly errors is a great starting point”. So is ensuring consistency – Bennett Briegal advised one firm where each department was adopting a different instant messaging platform, whatever the team head preferred. Bennett comments: “The risks between platforms differ so that firm faced multiple risks for no benefit.”
Cyber risks are more than a risk to the firm and client but also to their reputations, according to Bennett, along with a sector-wide reputational risk, “so we are all literally in this together to some degree”.
He considers the potential longer term impact: “Firms who had in place measures for ‘normal’ times, including up-to-date software and encryption of any cloud or hard drive accessed by a remote device (such as a laptop), have found the scale of the resources increasing while the loss of structure in office life poses a greater risk. The scale and the personnel undertaking work has altered so firms need to reset for now and the next 12-18 months.”
A firm who gets things wrong faces losing client data and having to explain the loss to two regulators (the ICO and SRA or other '¨professional regulator). Remember that the SRA last year estimated that the financial costs alone of a cyber attack are more than £4,000 per firm.
So what should a firm’s next steps be? Training is a constant refrain coming both from those on the ground and from risk specialists in this field. Bennett says his firm is seeing an increase in training requests for remote supervision, around data, cyber and fraud risks when working remotely.
“Often the training is the first contact”, he says, “but then the policy work becomes obvious and the new supervision skills are not as obvious to supervisors until training has started.”
Bennett Briegal has advised firms to conduct a risk assessment with every staff member working remotely. “Do the team understand the instant messaging platform whether that is WhatsApp, Signal or something else?”, comments Bennett. “Are they using an insecure platform with colleagues which might be great for social contact or team building but is inappropriate to send documents over?” He emphasises: “Key is audit, train on the risks, get the policies and supervision right and your reputation is enhanced as a firm.”
Firms should also take on board all available advice and guidance, both from the regulators and government. Cyber Essentials, the UK government-backed standard for business cyber security is one good place to start (and which, incidentally, is mandated by the Law Society for firms signed up to its new Lexcel Standard). The standard – a self-assessment at its basic level – helps firms guard against the most common threats.
Harris also urges firms to consider taking out both cyber and professional indemnity cover. “Some policy wording can distinguish between social engineering and a system breach, and firms should be aware of what their cover extends to”, he explains.
Far from going away, cyber threats are set to increase. Coughlan thinks the ICO will take a greater interest in law firms given '¨that the amount of personal data handled by firms is huge; and “without the office regime, personal data may become more vulnerable '¨to attackers”.
She warns that though the technology available to support this new way of working is constantly developing, so are the solutions to find ways to infiltrate this technology by criminals.
Jim Gee envisages an environment where “future threats will undoubtedly involve the deployment of artificial intelligence by cyber criminals. We will also see more use of the dark web to organise and plan cyber-crime attacks”.
He warns that firms need to know of attacks against them and to find out if their emails and passwords are being offered for sale. Over the last two years, Crowe has invested in a “cutting-edge capacity” to protect its clients against this constantly growing threat. It involves undertaking internal vulnerability assessments with the specialist diagnostic hardware which looks inside a firm’s network and systems for weaknesses; and external vulnerability assessments can also be done, looking at a firm’s domains to see if its emails can be spoofed.
It also looks for out-of-date, unsupported software, open ports which can be hacked, and known vulnerabilities which haven’t been resolved. “Finally, we search for compromised emails and passwords using our unique access to the forums and markets on the dark web”, says Gee.
Internally, firms have much they can do on a daily basis to rein in the threat. LawNet, for instance, has encouraged member firms to document outputs from team and supervision meetings so that learning from them can be shared throughout the firm.
“This is an important way for staff to share knowledge and experience to raise awareness of any fraud or cyber-security risks and the '¨action individuals should take as a result”, says Riddleston.