Human error identified as biggest cyber risk to firms

3 Sept 2020News

SRA finds human error was the biggest risk to firms' cybersecurity over the last three years

The Solicitors Regulation Authority (SRA) has said that human error was the biggest risk to firms’ cybersecurity over the last three years.

The findings were revealed in an SRA report following an in-depth thematic review of 40 cyberattacks reported to the regulator between 2016 and 2019.

The SRA visited and interviewed the firms about their experiences, of which 30 had reported being the target of a cyberattack.

The remaining ten firms said cybercriminals had directly targeted their clients during a legal transaction.

The regulator said its review “shows that cybercrime is indiscriminate. No businesses are safe”.

The SRA found that though not every cyberattack resulted in financial loss, collectively £4m was stolen.

Most of the cash was ultimately claimed against insurance policies, but the SRA said £400,000 of it had to be repaid directly from firms' own money.

According to the report, most incidents occurred due to human errors and misunderstanding with “very few incidents that involved an element of hacking”.

For instance, more than half of firms allowed external USB sticks to be plugged into company devices.

The SRA found that 60 per cent of firms felt their biggest potential vulnerability to cybercrime was linked to staff knowledge and behaviours.

Despite this, a fifth of firms did not provide specific training on IT and cybersecurity; and more than half did not even keep records of such training.

The regulator said some senior figures could not answer “basic questions about terminology”.

The report reveals that this problem was more widespread among fee earners. For example, less than half did not understand what was meant by malware; around 32 per cent did not know what phishing was; and the vast majority did not understand what ransomware was.

These findings “raised concerns”, according the report. “Knowledgeable and empowered staff are the first line of defence against cybercrime.”

It also found that more than a quarter of firms lacked adequate cybersecurity processes and controls; and only around two thirds of staff in the firms it visited claimed to be ‘knowledgeable’ about cybersecurity and IT issues.

The regulator said, with covid-19 meaning huge numbers working remotely, firms must remain extra vigilant around cybersecurity.

However, the SRA identified good practices such as widespread use of anti-virus software, two-factor authentication for many sensitive interactions and regular backing up of data.

SRA chief executive Paul Philip said it will be some time before the implications of pandemic for the legal sector are fully understood, but added: “The need for everyone to remain cybercrime vigilant has never been higher.”

He said firms should ensure they have effective cyber security policies in place “and, crucially, that everyone in the firm understands and follows these day-to-day”.

Responding to the review’s findings, Law Society president Simon Davis said: “The SRA’s report identified that most of the firms surveyed were aware of the dangers posed by cybercrime, and that staff knowledge and behaviour were important factors when protecting their business.”

He commented: “We must continue to share experience and expertise about emerging cyberthreats, particularly in today’s environment, with so many more of us working online and remotely.

“By taking issues like cybersecurity seriously, we ensure the public can continue to have the highest confidence in the profession."

Vanessa Cathie of Lockton UK said apart from the legal sector’s exposure to external cyber criminals, law firms are also vulnerable to attack from within.

She commented: “Rogue employees are a major threat as are the inadvertent actions of staff, for example, lost or stolen devices.

“The risks associated with the use of tablets, smartphones and other devices cannot be overstated – with increased access and flexibility comes a much greater security risk, from data leaks to harmful malware and viruses.”

She also warned of the “huge” potential for reputational damage.

“This sector is founded on trust and discretion”, she commented. “Maintaining a healthy reputation is at the heart of any successful law firm and a key part of its business strategy.”

Cathie warned that loss of client data can have a devastating impact on a firm’s credibility and its long-term position in the market place.

“Failure to protect highly sensitive client information can put an entire practice at risk,” she added.

Read our in-depth feature, A Profession Under Attack, on cybersecurity in the covid-19 environment

Legal News desk contact: editorial@solicitorsjournal.com

Litigation funding after PACCAR: adaptation and growth

How England’s litigation funding market is adapting post-PACCAR amid judicial flexibility, legislative signals, and continued expansion

Winston and Taylor Wessing merge to form new firm

Winston & Strawn and Taylor Wessing have voted to combine, creating a major transatlantic law firm

Mishcon de Reya appoints new leader

Mishcon de Reya has announced the election of Daniel Naftalin as its new Managing Partner, set to take office in summer 2026 after a transitional period

Fletchers comments on clinical negligence report

Peter Haden, chief executive of Fletchers, has welcomed the Public Accounts Committee's report on clinical negligence highlighting its human and financial impact and the importance of improved collaborative claims resolution methods

Ex-LCF CEO and wife face contempt

Michael and Debbie Thomson, former LCF CEO and his wife, admit to multiple court order breaches

Youth justice sees record lows in 2024

Recent statistics highlight significant reductions in youth justice involvement, but systemic delays and biases pose risks for progress

Government caps ground rents for leases

The UK government has announced a cap on ground rents in older leases, sparking mixed reactions among experts

Major boost for legal aid fees

Access to justice in Scotland has been significantly improved with a 13% increase in all legal aid fees following a sustained campaign from the Law Society of Scotland

LawCare surpasses pandemic support levels in 2025

LawCare's latest report reveals an unprecedented increase in mental health support demand within the legal sector in 2025, reaching 753 individuals, more than any previous year.

NHS negligence costs demand urgent action

The Association of Consumer Support Organisations urges transparency and solutions to tackle clinical negligence issues

Joseph Mark Taylor v James Lee Taylor: Unfair prejudice found in family property company dispute

High Court finds unfair prejudice in quasi-partnership property company after director excluded brother shareholder.

Molnar and Vargova v Secretary of State: deportation rights under the Withdrawal Agreement

Court of Appeal clarifies procedural safeguards for EU citizens facing deportation for post-Brexit offences.

Smith v Campbell: trustees' costs and indemnity in removal proceedings

High Court determines costs and trustee indemnity following partial success in removal claim.

Pawel Wysokinski v OCS Security Limited: Court venue for data protection claims

Appeal concerning the appropriate court venue for a data protection claim involving medical information disclosure.

Raphael Folarin v Immigration Services Commissioner: fitness to practise and criminal convictions

Appeal dismissed against refusal of registration as Level 1 immigration adviser due to criminal convictions.

SJ Interview: Joelle Grogan

Dr Joelle Grogan is a legal scholar specialising in the rule of law in times of crisis. She presents The Law Show on BBC Radio 4, and is Co-Academic Director of the Rule of Law Clinic at the CEU Democracy Institute (Budapest), and a Senior Research Fellow at the UCD Sutherland School of Law. Her work focuses on constitutional accountability, emergency powers, and legal misinformation. In this interview, she examines the pressures facing the rule of law in the UK, from executive power and court delays to media narratives, emergencies, and the impact of AI on legal practice.

AI in Law: responsibility never delegated

As AI becomes routine in legal practice, regulators and courts insist accountability stays firmly with the human professional