The National Cyber Security Centre (NCSC), part of GCHQ, has just published its first report on the growing cyber threat to the legal profession.
The report, which has been compiled with the assistance of the NCSC’s in-house cyber security experts, the NCSC-sponsored Industry 100 scheme, the Law Society, the Solicitors Regulation Authority (SRA), Action Fraud (the UK’s national fraud and cyber crime reporting centre) and the National Crime Agency (NCA), has been produced in direct response to a requirement from the legal sector and forms part of the NCSC’s mission to raise the cyber maturity and resilience of law firms. It is intended to engage senior decision makers in the legal sector and encourage industry-wide adoption of cyber security best practice.
The report notes that the cyber threat to the UK legal sector is significant and the number of reported incidents has grown substantially over the last few years. According to the 2017 PricewaterhouseCoopers Law Firm survey, 60% of law firms reported an information security incident in the last year, up from 42% in 2014.
The financial and reputational impact of cyber attacks on law firms is also significant. The costs arise from the attack itself, the remediation and repairing reputational damage by regaining public trust. The SRA reports that over £11 million of client money was stolen due to cyber-crime in 2016-17.
The NCSC report, a full copy of which can be read here, identifies the most significant cyber threats that law firms should be aware of as being:
- Phishing
- Data breaches
- Ransomware
- Supply chain compromise
This would tie up with our own experience in working with law firms and other regulated industries that hold much sensitive client data and handle large financial transactions, and who therefore tend to be particularly targeted by cyber criminals. In future blogs I will explore each of these areas in more depth, but today I wanted to share some general tips on how to secure your law firm against these types of attacks.
- Have in place staff education and formal business processes around opening emails, handling “urgent” rushed transactions and changes of bank details.
- Ensure you are using a wide array of technical security tools (not just a firewall and antivirus) and that these are being actively monitored and updated by a cyber security specialist.
- Consider getting Cyber Essentials certification. Whilst certification to this government backed scheme does not guarantee to mitigate every security threat, it does ensure your firm is operating to a minimum standard of good practice in cyber security management.
- Review your data and systems backup policies, and ensure you are not dependent on one form of backup alone which could potentially be compromised (for example, there have been cases where some firms have relied exclusively on realtime online backup, only to find that when they fall victim to a ransomware attack, the backup is also encrypted).
- Have an external IT specialist run a Backup and Disaster Recovery (BDR) Assessment to identify any risk areas in your firm’s current disaster recovery procedures which could cause an issue in the event of a cyber attack necessitating a restore from backup.
Should this article have raised any questions, or you would like more information on any of the risk mitigation measures mentioned above, please do not hesitate to contact me when I will be happy to arrange a free consultancy call to advise your firm on how to go about putting in place these strategies to minimise the risk from cyber security threats.
To read the full NCSC report, please visit https://www.ncsc.gov.uk/legalthreat
Epoq IT work with small and medium size law firms, providing consultancy, methodologies and technologies that bring clarity and give control over IT back to the business – putting the business in the driving seat of IT spend, compliance and security. For more information please visit our website http://epoq-it.co.uk/law-firms-solicitors-and-legal-services-businesses/
