Human error identified as biggest cyber risk to firms

The Solicitors Regulation Authority (SRA) has said that human error was the biggest risk to firms’ cybersecurity over the last three years.

The findings were revealed in an SRA report following an in-depth thematic review of 40 cyberattacks reported to the regulator between 2016 and 2019.

The SRA visited and interviewed the firms about their experiences, of which 30 had reported being the target of a cyberattack.

The remaining ten firms said cybercriminals had directly targeted their clients during a legal transaction.

The regulator said its review “shows that cybercrime is indiscriminate. No businesses are safe”.

The SRA found that though not every cyberattack resulted in financial loss, collectively £4m was stolen.

Most of the cash was ultimately claimed against insurance policies, but the SRA said £400,000 of it had to be repaid directly from firms' own money.

According to the report, most incidents occurred due to human errors and misunderstanding with “very few incidents that involved an element of hacking”.

For instance, more than half of firms allowed external USB sticks to be plugged into company devices.

The SRA found that 60 per cent of firms felt their biggest potential vulnerability to cybercrime was linked to staff knowledge and behaviours.

Despite this, a fifth of firms did not provide specific training on IT and cybersecurity; and more than half did not even keep records of such training.

The regulator said some senior figures could not answer “basic questions about terminology”.

The report reveals that this problem was more widespread among fee earners. For example, less than half did not understand what was meant by malware; around 32 per cent did not know what phishing was; and the vast majority did not understand what ransomware was.

These findings “raised concerns”, according the report. “Knowledgeable and empowered staff are the first line of defence against cybercrime.”

It also found that more than a quarter of firms lacked adequate cybersecurity processes and controls; and only around two thirds of staff in the firms it visited claimed to be ‘knowledgeable’ about cybersecurity and IT issues.

The regulator said, with covid-19 meaning huge numbers working remotely, firms must remain extra vigilant around cybersecurity.

However, the SRA identified good practices such as widespread use of anti-virus software, two-factor authentication for many sensitive interactions and regular backing up of data.

SRA chief executive Paul Philip said it will be some time before the implications of pandemic for the legal sector are fully understood, but added: “The need for everyone to remain cybercrime vigilant has never been higher.”

He said firms should ensure they have effective cyber security policies in place “and, crucially, that everyone in the firm understands and follows these day-to-day”.

Responding to the review’s findings, Law Society president Simon Davis said: “The SRA’s report identified that most of the firms surveyed were aware of the dangers posed by cybercrime, and that staff knowledge and behaviour were important factors when protecting their business.”

He commented: “We must continue to share experience and expertise about emerging cyberthreats, particularly in today’s environment, with so many more of us working online and remotely. 

“By taking issues like cybersecurity seriously, we ensure the public can continue to have the highest confidence in the profession."

Vanessa Cathie of Lockton UK said apart from the legal sector’s exposure to external cyber criminals, law firms are also vulnerable to attack from within.

She commented: “Rogue employees are a major threat as are the inadvertent actions of staff, for example, lost or stolen devices.

“The risks associated with the use of tablets, smartphones and other devices cannot be overstated – with increased access and flexibility comes a much greater security risk, from data leaks to harmful malware and viruses.”

She also warned of the “huge” potential for reputational damage.

“This sector is founded on trust and discretion”, she commented. “Maintaining a healthy reputation is at the heart of any successful law firm and a key part of its business strategy.”

Cathie warned that loss of client data can have a devastating impact on a firm’s credibility and its long-term position in the market place.

“Failure to protect highly sensitive client information can put an entire practice at risk,” she added.

Read our in-depth feature, A Profession Under Attack, on cybersecurity in the covid-19 environment