Don't forget 'people' risks

11 Apr 2017Feature

Michelle Garlick urges firms not to simply focus on technology when assessing their exposure to cyber threats such as email scams and ransomware

The SRA’s announcement in early March that up to 500 law firms had been targeted in a single email scam by fraudsters serves as a reminder that cybercrime remains one of the key risks for the legal sector.

That particular scam – an example of ‘phishing’ – saw firms receive an email purporting to be a request for their services. When they responded, a further email was sent with an attachment or links containing malware, which allowed the scammers to remotely access, infiltrate, and block access to the firms’ IT systems.

The risk and damage posed by cybercrime and the infiltration of IT systems can be huge. For a law firm which holds valuable client data, the use of ‘ransomware’ - in which scammers seek to extort money from businesses by locking them out of their IT systems until they agree to transfer funds – is a particular threat.

According to recent research from IT company Timico, more than 25 per cent of law firms that fall victim to ‘ransomware’ end up paying at least £5,000 to retrieve access to their systems, with 88 per cent of systems being down for a week or more.

Then there are the regulatory repercussions to consider. While it is not currently compulsory to notify either the Information Commissioner’s Office (ICO) or affected individuals of data breaches in all circumstances, that is going to change.

The introduction of the EU General Data Protection Regulation (GDPR) in 2018 is a major consideration for UK firms irrespective of Brexit. The regulations will apply to any data controller or processor which offers goods or services to, or monitors the behaviour of, data subjects in any EU member state. The GDPR will oblige all organisations to notify the ICO of any data breaches without undue delay and within 72 hours of becoming aware.

Human error

Clearly, a crucial step to defending against cyber-attacks is to ensure that you have adequate protective software and that it is up to date. Yet, too often firms put all of their focus on technology and don’t consider the risk associated with their people.

In reality, the weakest link in the chain of any organisation’s data protection policy is likely to be human. As in the recent example cited by the SRA, many cyber-attacks require an element of human error to succeed.

Simple mistakes like failing to lock machines and physical security compromises such as being tailgated in offices are all obvious threats, but so too is the risk of hackers gaining access to company data by more nefarious social-engineering tactics.

This risk will only grow as globalisation and technological advances mean more conversations are happening over digital channels, which creates opportunities for scammers to infiltrate organisations by impersonating clients or colleagues.

Be prepared

Key questions for firms to ask themselves are:

Have your staff been trained and kept up to date on the latest tricks used by scammers?
Have you reviewed your policies and procedures to ensure they are clear on what to do should a suspected scam email be received and/or opened?

It is imperative that COLPs and COFAs in particular are aware of the threat of cybercrime and manage their risks accordingly. Ensuring that training is delivered to all employees, contractors, agency workers, and anyone else deployed on the premises and with access to personal data is important.

A useful step to undertake is to go through a cyber audit, in which your practice’s systems and policies are assessed against the risk of an attack. In addition, firms should also keep abreast of the latest security and scam updates offered by the SRA.

Michelle Garlick is a partner and head of the Compli team at Weightmans

@Weightmans www.weightmans.com

Legal News desk contact: editorial@solicitorsjournal.com

Supreme Court ruling on fraudulent trading liability

UK Supreme Court clarifies liability of third parties in MTIC fraud and limitation rules for dissolved companies.

Forty years on, surrogacy law is still playing catch-up

Despite international growth in surrogacy, UK law remains reactive, outdated and ill-equipped for today’s challenges

Law firm reports significant caseload rise

A surge in immigration-related legal advice reflects new UK policies tightening regulations affecting businesses and individuals

Tudor v Tecuci District Court: Article 8 extradition appeal analysis

High Court upholds Romanian extradition despite private life arguments

Costs Lawyers seek recognition and support

The Association of Costs Lawyers aims to elevate its members' status and engage the younger workforce

Gig economy drivers challenge their status

Former eCourier drivers have launched a legal claim to secure workers' rights against misclassification

When is an environmental case not an Aarhus claim?

Court of Appeal narrows Aarhus costs protection, requiring direct breach of environmental law, not incidental impacts.

Commonhold’s fragile foundations: risk and reality

Commonhold promises fairness and simplicity, but unresolved enforcement and financial risks threaten its stability and long-term value

How the amended English Arbitration Act puts London at the centre of global arbitration reform

The Arbitration Act 2025 introduces reforms enhancing efficiency, certainty, and London’s global leadership in international arbitration

Support needed for UK retailers now

Clarke Willmott LLP calls for intervention in the autumn statement to avert worsening conditions in retail

Court of Appeal clarifies GDPR compensation thresholds in Farley v Equiniti

Court of Appeal establishes new precedent on data breach compensation claims.

Crest Nicholson v Secretary of State: Water neutrality upheld in planning decision

High Court affirms water neutrality condition for housing development near ecologically sensitive sites.

O Argence-Lafon v Ark Syndicate Management: EAT whistleblowing judgement analysis

Employment Appeal Tribunal clarifies protected disclosure requirements in insurance sector whistleblowing case

Sky UK Limited v Ofcom: Electronic communications services classification under regulatory scrutiny

Court of Appeal clarifies electronic communications service definitions in telecommunications regulation framework.

SRA addresses issues in law firms' high-volume claims

The SRA's review reveals significant failures by law firms in their duty to clients in high-volume claims

SJ Interview: James Palmer CBE

James Palmer CBE, Partner of Herbert Smith Freehills Kramer, has long been recognised as one of the UK’s most influential corporate lawyers and policy voices. Awarded a CBE in 2025 for his services to business and law, he has combined a high-profile career in M&A with decades of work on legal reform. In this interview, he discusses the challenges of legislative inflation and corporate advice, access to justice, and the future role of technology.

The SQE is failing its own test

Five years on, the SQE is underperforming, and targeted reforms could close persistent gaps.