While no business – across the broadest spectrum of industries – is exempt from cybercrime, legal professionals make particularly lucrative and easy targets. Solicitors and legal practices are custodians of highly sensitive historical and proprietary client data, not to mention swathes of financial records. These types of valuable assets are bound to make ambitious and skilled cybercriminals salivate at the prospect of getting their hands on them.
Solicitors and legal practitioners are no strangers to mitigating risks, given that they are often heavily involved in convoluted legal disputes and contracts. However, many law firms are surprisingly lax in their cyber security awareness and training, leaving them exposed to cybercrime, not least phishing attacks that compromise system security and threaten client confidentiality.
In recent years, cybercrime has only intensified in frequency and sophistication, making it increasingly difficult for even the most vigilant security expert to identify and contain threats.
This article examines why legal firms are frequently targeted by cybercriminals, describes how hackers infiltrate their systems through phishing and also outlines risk mitigation steps firms can take to safeguard their business and client information.
There are two key reasons why the UK’s legal sector faces phishing and other types of online threats.
- They have a wealth of sensitive data.
The average legal firm will handle various categories of sensitive information from contracts, patents, and intellectual property to client wills, property records and financial or life documents.
As expected, this presents a potential goldmine for hackers and malicious actors. Successful phishing attacks on solicitor firms could potentially result in this information being stolen or distributed on the dark web. Additionally, hackers may choose to unleash a phishing or social engineering attack on a practice and hold them to ransom.
With many firms moving to cloud-based document storage solutions and adopting legal accounting software, all data that’s stored electronically is increasingly at risk. Hackers only need to infiltrate a system once to gain access to a whole host of online accounts, systems, and software.
- Most firms aren’t taking cyber security seriously enough.
The National Cyber Security Centre (NCSC) recently urged legal firms to heed recommendations, guidance, and steps to protect their businesses from the innumerable evolving cyber threats that exist. The NCSC warns that with the rise of hybrid working, firms need to adapt how sensitive information and finances are handled, and the knock-on effects that a successful attack can have on clients, as well as a victim firm’s finances.
On top of this, should a hacker decrypt and compromise a legal firm’s data and systems, if they demand a ransom to restore access, many law practices would be under increased pressure to pay. High-profile cyber attacks can result in firms forking over six-figure sums to regain control of their records and client data, so it’s no wonder why many hackers would try their luck with other legal firms.
While every cyber attack is different and can be executed in a variety of unique ways, there are some common exploitation points for a legal firm.
- Phishing emails and malicious links. Hackers often disguise themselves as legitimate suppliers or contacts, sending emails with infected links or attachments that secretly download malware if clicked. New employees are particularly susceptible to this activity, due to their unfamiliarity with internal systems or certain contacts. Employees are lured into clicking links or downloading case files, invoices or providing financial information, not realising that the sender is impersonating one of their contacts.
- Social engineering. Malicious actors are not always hiding, and are rather acting innocuously and visibly. By fostering initial feelings of trust with employees, a hacker can successfully encourage them to provide administrator access to systems or persuade them to provide passwords. Many cautious legal professionals would usually hesitate, but once a hacker breaks those initial ‘barriers’ by tricking the employee, it’s easy for them to weave their way into a system.
- Advanced malware. Malicious software such as backdoors, keyloggers and trojan horses can be installed on systems and export data directly from the law firm’s system. Often, this malware would be allowed to go months without detection in a system, if a legal practice had not installed adequate system monitoring and scanning software. Hackers may also install ransomware which locks users out of their systems until a ransom is paid.
- Brute force attacks. Sometimes hackers instigate numerous bots to execute thousands or even millions of login attempts on software or apps. If passwords are particularly weak and easy to crack, the hacker could gain access rather quickly, and subsequently alter user permissions for authorised users. Law firms may forget to initiate strong password policies or not change passwords regularly, thus making it easy for a criminal to infiltrate.
While this guide has suggested that law firms face an increasingly bleak future when it comes to cybercrime, and recent news not exactly helping matters, there are plenty of simple steps that you can take to harden your security defences.
Law firms can implement security controls such as those outlined below:
- Structured cyber security and phishing education and training. By continually training staff on how to spot and recognise phishing emails and social engineering tactics, it can improve their initial resilience. Simulated phishing attack exercises will help reinforce their learning.
- Strong password policies. Firms should enforce password policies that require all users to create unique, long, and complex passwords for each system or login. It may also be prudent to prohibit the reuse of passwords across sites or shared apps.
- Enable two-factor authentication. As an additional layer to password security, users should always be prompted to validate their login attempt or request for access. This can be in the form of one-time-only codes via SMS or email, or via third-party authenticator apps.
- Install security patches and updates. Keeping all software, programmes, and applications up-to-date will ensure that all known security vulnerabilities are patched in the latest software versions. Ignoring this can be a common entry point for hackers.
- Install reliable security software. Firms should always deploy reputable, supported antivirus, anti-malware and anti-ransomware software on all systems. Many business antivirus programmes also come with built-in internet security and firewall features to further strengthen their defences.
- Email filtering and monitoring. Law firms should always configure their email security to regularly and automatically scan for suspicious links, messages or attachments. Email is widely used in the legal sector, so it’s vital that firms quarantine or block emails from unknown or unrecognised senders.
- Run system backups. It’s crucial to take frequent backups of all systems and data and store copies offline (ideally on a local server) in case of ransomware attacks. Conduct regular tests to ensure that a system restore is successful.
- Establish clear, defined policies. Enforcing comprehensive security policies related to data handling, incident response and use of software will ensure that all staff are holding themselves accountable.
While law firms and other industries remain vulnerable and are enticing targets for cybercriminals, the steps outlined above should serve as a prudent reminder of why legal firms must make cyber security a top priority.
All firms have a part to play in the growing fight against cybercrime, and following these steps will be a vital step in ensuring your firm – and data – stays protected.