Cybersecurity: What are the biggest threats for the legal sector?

The SRA reported that in 2016-17, over £11 million of client money was stolen due to cyber crime.

In the last year, 60% of law firms reported an information security incident - almost a 20% increase from the previous 12 months.

It’s clear that the cyber threat to the UK legal sector is significant and is growing.

So, what are law firms worried about and how does this compare to the views of the experts at the National Cyber Security Centre (NCSC)? The answer is that the trends across both sets of research are fairly consistent.

Our survey in June 2018, took in responses from firms of all sizes and helped to provide an indication of the current patterns of cybersecurity activity in the sector:

  • the types of attacks and breaches occurring and the extent to which the sector is being targeted
  • top cybersecurity concerns amongst law firms
  • context for attempted or successful attacks on law firms

52% of firms reported to have detected an attack (whether successful or unsuccessful in the prior year, June 2017 to May 2018). The top three types of attacks detected were:

  • Phishing emails (81%) - A hacker attempts to obtain financial or other confidential information by sending fraudulent emails to people in your firm.
  • Spoofing (53%) -A hacker attempts to obtain financial or other confidential information from third parties by impersonating your firm by, for example sending emails or hosting a fake website.
  • Viruses, spyware or malware attacks (47%) - Types of malicious software designed to perform damaging operations on a computer.

Phishing attacks remain the primary concern amongst firms and mirror the number of breaches detected.

However, data breaches through theft of data and hacking of office or client accounts are the next two top worries on the list - though our survey revealed a low number of actual reports of breaches in these areas.

Case studies: Phishing
"We have received CEO emails addressed to other people (eg accounts staff) asking for urgent transfers of money. Also, emails from people alleging they are clients and have changed their bank details during conveyancing transactions."
Firm size: 41-170 fee-earners
"Our accounts department received an email from an address that was very similar (but different) to one of our partners, asking for a transfer of funds. It was immediately spotted and reported but our IT department said it was a random attack so no software could have stopped it."
Firm size: 2-5 fee-earners

Read our website hacking whitepaper that we published in partnership with SharkGate. The report outlines the potential vulnerabilities of websites: the types of hack, signs that a site has been hacked, and their impact.

Examples include how websites are being used in phishing and spoofing attacks, whereby fraudulent emails are sent, users are directed to fraudulent websites or organisations are impersonated in emails.

Our findings are almost identical to the NCSC’s perspective, which is outlined in its report: The cyber threat to the UK legal sector. Published in July 2018, the top four threats identified by the report are: phishing, data breaches, ransomware and supply chain compromise.

The NCSC’s report includes case study examples of law firms compromised, suggestions to mitigate vulnerability as well as signposts to their other excellent and extensive resources and guidance available online.

To keep up to date with cybersecurity news, subscribe to our free weekly cybersecurity digest, which is emailed every Wednesday afternoon.

Maximise your Law Society membership with My LS