Cyber threat to law firms greater than ever
Only a matter of time before all organisations are breached, experts predict
Law firms are facing unprecedented cyber threats due to the ‘treasure trove’ of client data they hold and the widening availability of technology that facilitates attacks, experts have said.
The recent WannaCry ransomware attack, which affected more than 200,000 computers in at least 150 countries, has led to calls for law firms of all sizes to step up their cyber defence strategies to prevent both internal and external threats.
Peter Wright, solicitor and managing director of Digital Law UK, told Solicitors Journal the cyber threat to law firms was now greater than ever due to the growth of technology.
‘There’s now an ever-widening capability among the fraternity out there that would perpetuate these sort of cyber attacks against firms. As more data goes up online, firms get more vulnerable and the means to take them down is now more freely available than ever.’
‘The threat is significant,’ added John Boles, director of business consultancy at Navigant. ‘Law firms hold so much personal data and sometimes intellectual property. For cyber criminals, their goal is to monetise the data and they’ve learned for years to go where the treasure trove is. They can now just go after one company and have access to all that data.’
The most recent Natwest Legal Benchmarking survey found that 24 per cent of 269 law firms had experienced a fraud-related loss or cyber attack in the year ending April 2016. According to PwC, cyber attacks on law firms have increased by 60 per cent in the past two years.
With these figures in mind, Boles believes cyber security should be a high priority for any firm. ‘If the trust between the lawyer and the client is violated, then the reputational damage can be significant, if not almost catastrophic, to a law firm, and long lasting. Firms really need to consider data and the information that they have on their clients not just as a product but as one of their crown jewels and elevate it up in their priority list in protecting it.’
Boles’ colleague and associate director at Navigant Ben Donnachie added that cyber security should be part of a wider programme, which included tackling the threat of employees. ‘Even though your computer systems are secure, quite often we find that insiders, whether unwittingly or not, have legitimate access to the systems and exfiltrate or steal the data. Cyber security is important but other types of security are also important.’
The attack on the NHS exploited vulnerabilities in older versions of Windows operating systems and legacy applications that some hospitals were still using. This type of scenario is not too dissimilar from some law firm mergers, according to Wright, where across a whole firm there might be multiple operating systems or ways of working to support old legacy systems. Procuring long-term investment from the boardroom to upgrade systems remains a challenge, he added.
Navigant and DigitalLaw UK have seen a rise in the number of enquiries from law firms since the WannaCry attack. They outlined some steps that all firms should be taking regardless of their size.
‘Consider having an information security gap analysis to find out where the vulnerabilities are,’ said Wright. ‘Then implement an advanced and persistent threat-detection system and have a “cyber wargame” so if D-Day happens a plan will be in place.’
He also suggested firms should make an air-gapped PC available in a secure room, which can be used as a basis of operations to deal with the immediate aftermath of a cyber security breach, and ensure they have good cyber liability insurance, although this will not cover everything.
Boles suggested firms adopt the principle of least privilege. ‘Make sure employees or people who can access your system only have the access needed to do their job. If someone is leaving cancel their access immediately, but also if someone is moving jobs within the law firm, make sure they don’t take their previous access with them because they don’t need it.’
‘Organisations need to be doing the basics,’ said Donnachie.
‘They need to be training their people to be suspicious. If you receive emails that look odd, don’t start clicking on things. Anti-virus software isn’t completely effective so don’t trust it. Know where your sensitive data is stored and put systems in place to protect it from any malicious attacks.
‘It’s a matter of time before all organisations are going to be breached. Make sure your strategy is fit for purpose. Have an incident response plan, test it, and make sure it works.’
Matthew Rogers is a legal reporter at Solicitors Journal