Are you the 65% or the 35%? 65% of law firms have been a victim of a cyber incident
In my last blog, I wrote about a train journey and the complacency shown by two commercial property solicitors chatting about their client in full earshot of everyone who might want to listen. The response was great, but the concerning message was that, as a sector, we are far too complacent about cybercrime. Unless we do something about it, and do it now, we will all continue to fall victim. It's just a matter of time.
Of course, theft isn't new; cybercrime just makes it that much easier. If I had wanted to steal your money 300 years ago, I would have been riding my trusty steed and holding up your stage coach with my pistols. 40 years ago, it would have been a sawn-off shotgun in your face and I'd be driving off in my Ford Granada with my swag bags stuffed with used fivers. Today, all I need to steal your money, your data and your identity is a device and a web connection, and I can do it from my spare bedroom, from the corner coffee shop, or indeed from my deckchair as I sit on the beach in the Maldives.
The extent of the threat is staggering
It was reported in August 2017 that identity theft has reached epidemic levels in the UK, with incidents running at almost 500 a day, according to the latest figures by Cifas (UK fraud prevention service). Firms holding personal data are more likely to be attacked, hello law firms, that's you.
The most common attacks are fraudulent emails, followed by viruses and malware. In the first six months of this year a record 89,000 cases of identity fraud were reported, typically involving criminals pretending to be an individual in order to steal their money, buy items or take out a loan or car insurance in their name. 53% of all UK fraud is online: 1.9 million offences. British citizens are 20 times more likely to be defrauded at their computer than held up in the street.
In the last eight years, more than 7.1 billion identities have been leaked worldwide because of company data breaches. There are 7.5 billion people on Earth, the majority of whom don't have internet access – so those of us that do have probably been hit several times over. If you haven't done so already, check if your email has been compromised. I check on a regular basis, and only last week found one of my email addresses was listed, so was immediately able to change my password. There's a funny and pointed Jimmy Kemel YouTube video which shows you how easy it is to crack passwords.
In April 2017 the government reported that nearly seven in ten large companies identified a breach or attack. LinkedIn, EE, National Lottery, BA, the NHS, TalkTalk, Deloitte, AA, Wonga and Equifax have all fallen victim, as have countless local authorities, high street retailers and charities and legal firms.
In the 2016 Crime Survey of England and Wales, fraud and computer misuse accounted for a total of 5.8 million crimes. Around 1.4 million people suffered a computer virus attack, with almost 650,000 reporting that their email or social media profile had been hacked. Anyone who thinks they may have been subject to online fraud or attempted fraud should report this to Action Fraud.
The WannaCry ransomware attack that gripped the NHS in May spread worldwide in just a few hours. The attack had a disastrous effect on the NHS, and affected major corporate brands, government departments, universities and major infrastructure groups, including railways, airlines and telecoms. Over 250,000 computers in 150 countries were infected with the WannaCry virus and the criminals have been able to walk away with nearly $200,000. There is a fascinating and horrifying video on YouTube which shows how – and how quickly – the infection spread worldwide.
The legal sector: worrying complacency?
Every week, I'm reading about or talking to victims from the legal sector. A few months ago, I had the misfortune of interviewing several victims of cybercrime. The largest amount stolen was just under £1m, but the biggest impact was the £60,000 deposit that was taken from a single mum trying to get her life back together following a divorce. Logging on to a free wifi hotspot in an airport coffee shop was probably her biggest mistake, which eventually resulted in her being persuaded to send her deposit funds for her new flat to a different bank account than that of her solicitor.
With all the publicity around cybercrime, you'd have thought that complacency would have been eradicated. But last year, Cert-UK, the forerunner to the National Cyber Security Centre, published a report into the UK legal sector, which makes sobering reading. 65 per cent of firms have been a victim of a cyber incident, but despite the need to protect ourselves, 35 per cent of firms still do not have a cyber mitigation plan in place.
As for the insurance market, it is making money from our complacency. Swiss Re recently reported that the value of global cyber insurance premiums will almost quadruple in five years, from $10bn in 2015, to over $37.5bn by 2020. So either get your wallets open to pay increasing insurance premiums, or take action now.
Think cyberdefense, not just cybersecurity
Complacency is no longer an excuse, as there are so many resources available to ensure that you, your firm and your clients can at the very least mitigate the threat of cybercrime.
The National Cyber Security Centre has some great resources
- Start with the 10 Steps to Cyber Security
- Small business and sole practioners: The National Cyber Security Centre has made the UK's most easy-to-access Cyber Security: Small Business Guide to help you
- Common cyber threats infographic
- You should also have a look at Financial Fraud Action UK's Take Five campaign
- Watch their Scam Academy videos to understand how easy it is to be a victim
- The Law Society can also help: we're developing partnerships with trusted, quality assured and relevant cybersecurity providers to offer services tailored for the legal profession.
The continually changing threat environment means ever more needs to be done to detect, prepare for, and adapt to potentially malicious activity. You've been warned: it's not only me that's watching you.