Hackers Took £11 Million from Law Firms’ Last Year, Time to Take Action?
Hackers have law firms firmly in their crosshairs. According to figures from the National Cyber Security Centre, last year saw a 20% rise in cyber-attacks on law firms. Once a ‘nice to have’, law firms can no longer ignore advanced cyber security. The risk, both to a firm’s finances and reputation, is too great. Randhir Shinde, CEO at Galaxkey, talks to Lawyer Monthly below about the impending need to take action.
Last year’s hacks resulted in more than £11 million of client money being taken from UK firms. This alone represents a need to act, however hackers are not just after money.
Whilst financial reasons are still the main motivation behind most attacks, an increasing number of hackers are keen to access sensitive personal information. As one example of this, we are seeing nation states beginning to target law firms that advise sensitive clients. What’s more, some hackers simply attack for ‘sport’, challenging themselves and others to find the juiciest personal information.
As the number of attacks increase, so too do the methods used. Cyber thieves are becoming ever more inventive and are finding new routes into companies’ information – the most common threats being phishing scams, data breaches and ransomware.
Cyber thieves have also broadened their targets. Small UK law firms are at risk, not just the Magic Circle. Small firms are seen as an easier target, likely lacking the sophisticated cyber security infrastructure that larger firms are more likely to invest in.
The General Data Protection Regulation expects that all businesses that handle data take reasonable steps to ensure that data is managed and held securely. It can be easy to think that this just means encrypting data, but it doesn’t. It means that data must be transited securely, yet few firms consider what this means.
Legal professionals now frequently work remotely or take work home. To do this, employees often email necessary documents to their home accounts. This period of transit leaves data completely unprotected and exposed, but few consider these risks.
Working remotely and on mobile devices presents other risks, particularly with employees using insecure Wi-Fi connections. This is a major security risk, with insecure connections being easier to hack. Despite this, industry research shows that around a third of employees use free, insecure Wi-Fi at cafes, hotels and bars.
Mobile devices can also be lost, stolen or tampered with. It’s essential that measures are in place to protect the company when this happens, or else hackers have an easy route into sensitive information.
Within the office, printers and scanners are often overlooked as devices that can threaten cyber security. These devices store and process data but are often forgotten about. Due to the nature of their work, law firms regularly use such devices for printing and scanning important and confidential contracts or personal documents – a dream target for hackers, who can use these devices for data theft or to plant malware or virus infections.
Digital signatures are another area of concern. These have become increasingly essential for legal professionals, however they are acutely vulnerable to fraud and forgery. Ensure that your firms uses secure document signing technology, these use digital encryption and audit trails to keep the signature secure.
These are just a few areas of concern. Technical solutions are essential to defending against these risks, however employee education is just as important. Data security education requires a company wide effort; it cannot be the sole responsibility of the IT manager. Senior teams must ensure that the entire workforce is clear on the threats of their own actions with regards to working and accessing data remotely.
Few legal businesses have woken up to the increased importance of data security, despite the fact that a quarter report being the victim of a cyber-attack. Until firms begin opening their eyes, clients’ personal information and companies’ finances remain vulnerable and regular data breaches will continue.
