The three biggest cyber threats facing law firms

The latest Hiscox Cyber Readiness Report makes for sobering reading about the cyber threat facing businesses and their ability to resist a cyber attack. More than half (55%) of British firms suffered at least one cyber attack in the past 12 months.

Law firms are among cyber criminals’ most attractive targets, but, although they’re aware of the risks, law firms don’t always properly protect themselves.

In fact, nearly three-quarters of the businesses we surveyed failed our cyber readiness test, which measures how they match up to cybersecurity best practice. Yet an increasing number of SMEs are now being targeted. Nearly half (47%) of small firms say they were attacked in the past 12 months, up from a third in 2018.

Data breach, either from a cyber attack or simple error, is one of the biggest threats legal practices now face, from Magic Circle firm to sole practitioner.

The biggest threats facing law firms

Email hijacking

Criminals hacking into a firm’s email server to intercept and send false emails to clients, usually to change bank details, is the biggest threat to law firms. It makes up 80% of cyber crimes reported to the Solicitors’ Regulation Authority (SRA) in the second quarter of 2018. Nearly £11 million of client money was stolen through cyber fraud in 2017. Although that figure fell in 2018, as the SRA suspects firms don’t report all cyber thefts, it remains a significant issue.

This was our biggest source of claims in 2018 (37%), and the implications go further than stolen money. Under GDPR, these incidents must now be reported to the regulator, as criminals may also have accessed data in the email account, which is likely to include personal identifiable information.


Phishing attacks, where staff are tricked into giving away confidential information, have reached epidemic proportions. Around 80% of law firms have had at least one phishing attack in the past 12 months, according to a Law Society online poll. Once they have your username or password, cyber criminals can hack into your firm’s computer system and steal information or money.


Harmful software can encrypt files, steal data, spy on your activity, and even hijack your server’s processing power. Ransomware, which effectively ‘kidnaps’ your files in return for a ransom payment, is the main malware threat, making up 16% of our cyber claims in the UK in 2018.

Even if you pay a ransom and get a decryption key, your data may be permanently unrecoverable, or your files may not work properly after decryption, because of glitches in the ransomware code. Secondary viruses downloaded along with the ransomware may also lurk on your system, providing criminals with a ‘back door’ to attack your system again in future.

How to protect your business

You can reduce the likelihood of cyber attacks by taking simple measures, such as making sure your software, including your anti-virus program, is up to date. Many organisations affected by the 2017 WannaCry attack could have avoided it if they’d upgraded their systems quicker.

You should also regularly back up your files. This should be preferably somewhere off your network, such as an exterior hard drive or cloud server. This way, if you are attacked, your data can be restored.

However, human error is the biggest danger. Over two-thirds (67%) of all cyber-related insurance claims we received in the 18 months to September 2017 were directly caused by an employee’s mistake, such as:

  • clicking on malicious emails
  • visiting harmful websites
  • losing devices

That’s why it’s so important to train your staff on information security, for example:

  • taking care when taking work home
  • having strong, unique passwords
  • knowing the risks in using their own device to log into the work computer network

The threat to a law firm of having confidential information either stolen or lost could be devastating. Yet only 21% of law firms have cyber insurance, according to a 2018 Law Society poll. Although your professional indemnity policy protects you if client funds are stolen through fraud, there are plenty of costs to your business from a cyber attack that it doesn’t cover. Also, how long could your firm operate without access to its computer system? It could have a big impact on your revenue.

A cyber insurance policy can help your firm:

  • recover quickly after a data breach
  • cover the lost revenue when your business is out of action
  • pay for the expert help you’ll need to recover your data and get your systems back online
  • liaise with regulators
  • inform clients of what’s happened

Hiscox cyber and data risks insurance is available to Law Society members with a five per cent discount (full terms and conditions available here). Visit our dedicated partner page or call their UK-based team of experts on 0800 840 2781. Please note that we are unable to provide any advice on the suitability of products.

Hiscox offers its cyber and data insurance policyholders that are UK organisations with a turnover of less than £10 million access to its CyberClear Academy. It’s an online interactive suite of training modules to help your employees understand the risks of phishing or social engineering attacks and therefore reduce the risk of falling victim to a hack.

Maximise your Law Society membership with My LS