The National Cyber Security Centre (NCSC) have published an updated report “Cyber Threats to the Legal Sector” on how UK law firms can protect themselves from cyber threats. Its purpose is to “help law firms, lawyers and legal practices understand current cyber security threats, and the extent to which the legal sector is being targeted” and to offer practical guidance on how they can be resilient to such threats. It is aimed at law practices of all types and sizes because “Cyber criminals are not fussy about who they attack”.
The report, which is an update of one previously published in 2018, aims to help UK law practices be more resilient to the main methods of attack and warns how the widespread adoption of hybrid working, accelerated during the COVID-19 pandemic, has increased the risks online and how sensitive information and the sums of money firms often handle can make them particularly attractive targets to attackers.
The report also contains case studies which emphasise the severe impacts that incidents can have; for example, conveyancing firm Simplify Group was left unable to process house moves for weeks after an attack, which is reported to have cost the company £6.8 million whilst Tuckers Solicitors LLP, had data relating to 60 court cases stolen and leaked on the dark web after it fell victim to a ransomware attack.
The report has been produced with input from a range of industry experts and stakeholders, including the Law Society, the Bar Council, the Solicitors Regulation Authority, Action Fraud, National Crime Agency and the NCSC’s Industry 100 partners.
The report emphasises that cyber criminals are likely to attack both small and large firms – especially those that routinely handle large amounts of money and highly sensitive information and offers practical guidance on how organisations can be resilient to these threats. It uses key statistics from the Solicitors Regulatory Authority (SRA) and the Cyber Breaches Survey 2023. It also directs readers to a range of NCSC-based online resources and services that can help them to protect their organisations, suppliers and clients. These include free services such as:
- Check Your Cyber Security, a government service suitable for smaller firms, that performs a range of simple online checks to identify common vulnerabilities in your public-facing IT.
- Exercise in a Box, an online tool which helps organisations find out how resilient they are to cyber attacks, and practise their incident response in a safe environment.
- Early Warning, a service using information feeds from the NCSC, plus trusted public, commercial and closed sources to inform your organisation of potential cyber attacks on your network.
It looks at particular types of threats to law firms and offers specific guidance on how these can be resisted. These include:
- Phishing – i.e. when criminals use scam emails, text messages or phone calls to trick their victims,
- Business Email Compromise – phishing emails aimed at specific individuals such as budget holders and accounts managers,
- Ransomware and Other Malware – malicious software (‘malware’) that prevents you from accessing your computer, or the data stored on it,
- Password Attacks – using re-used or weak passwords or not having multi-factor authentication enabled, and
- Supply Chain Attacks – third party providers not having adequate safeguards in place.
The report then goes on to look at how firms can improve their cyber resilience, and what security measures can be taken.