The Growing Cyber Threat Facing the Legal Sector
Cybercrime is a growing concern for all businesses across every industry, and even more so for those who operate in vulnerable sectors, such as law firms.
A threat report from the NCSC highlighted that 60% of law firms reported an information security incident in 2018, an increase of 20% from 2017.
Law firms, as with all modern day working practices, are heavily reliant on technology – the sheer amount of expected connectivity makes everyone vulnerable. Research enforces the scale of the problem: in 2017, 60% of law firms reported an incident, but that’s only those who identified an issue. There has also been a significant 42% increase in reported incidents in the last five years. This could mean that either businesses are more aware so are reporting cases, or cybercrime is on the rise. It’s most likely a combination of both.
Andy Pearch, CORVID’s Head of IA Services, outlines one of the biggest cyber threats facing the legal sector, and steps that can be taken to save law firms from the devastating consequences.
The legal sector is particularly vulnerable to cyberattacks due to the volume of data, sensitive information, financial responsibility and authority it holds. If a law firm specialises in corporate or property law, they are at greater risk, as the potential for financial gain is unprecedented. Although the main reason law firms are targeted is for financial gain, there is also a growth in cyber adversaries seeking political, economic or ideological goals.
Law firms are perceived to be an easy target – particularly smaller firms, as they don’t have the same resources as larger practices, but still hold significant funds. Also, they most likely have a small team managing their entire business infrastructure, with limited IT security resources available. It is often misconstrued that cyber security is the sole responsibility of the IT department, but the reality is that every department is accountable. Cyber security is part of the bigger information risk management picture, and requires emphasis from business leaders.
Not only do law firms and their clients have to consider the financial impact of a cyberattack, but reputational damage for their practice can be irreversible. Therefore, to ensure law firms are protected, they need to be aware of the consequences of a phishing attack.
Email is the main route in for cyber criminals. Phishing attacks can take the form of impersonation, intercepted emails and/or malicious attachments. The aim of threat actors responsible for these attacks is to coerce users into making a mistake, such as disclosing sensitive information, providing users’ credentials or downloading malware.
Unfortunately, not a single law firm – or any organisation, for that matter – is exempt from being the next victim of a cyberattack. Law firms need to take action and be prepared. When it comes to mitigating email compromise, law firms cannot expect employees to bear the burden of identifying threats, but instead must utilise the technology available to spot incoming threats as they arise.
The use of multiple detection engines and threat intelligence sources transforms email security and threat protection. Real-time fraud detection and content checking automatically highlight phishing and social engineering techniques, removing the burden from users and bringing a level of sophistication to current cyber strategies that is needed to keep today’s threats at bay. By automatically flagging potentially concerning emails – such as those attempting to mislead, harvest credentials or spread malicious elements – individuals can make fast, informed and confident decisions regarding their legitimacy.
Without doubt, impersonation attacks, payment diversion fraud and business email compromise attacks are on the rise, but there are robust solutions in place to mitigate the associated risks. There is no need for – and indeed no excuse for – passing the buck to the user community. There is an abundance of resources available to help law firms adopt a proactive cyber security mindset – notably, the threat report from the NCSC raises awareness and highlights specific safeguards that can be put in place.
It is time for the legal sector to take cyber security seriously. Failing to do so will only lead to devastating repercussions in the not-so-distant future. For a sector that is so protective of its reputation, every precaution should be put in place to keep it safe.