A new Risk Outlook Report from the Solicitors Regulation Authority (SRA) has revealed that email remains a significant vulnerability for law firms and is involved in more than four out of five of all reported cybercrime incidents.
The SRA report, which is entitled “Information security and cybercrime in a new normal“, outlines some of the new threats that criminals are using to exploit new technology. It reveals that, of cybercrimes reported in 2021, 83% involved email – including email phishing attacks. Inevitably conveyancing has proved to be the most common target for such attacks, although cyber criminals are now targeting a wider range of practice areas.
The report goes on to warn that ransomware, once one of the rarer forms of attacks on solicitors practices, is now growing in frequency and is increasingly being used to steal information, to threaten the release of confidential information and to lock firms out of their own systems. Whilst traditionally ransomware was simply being used to encrypt data, newer ransomware attacks actually steal that data, as well as encrypting it, with criminals pressurising firms by threatening to release sensitive information.
Although most ransomware attacks tend still to be random, some are becoming targeted, and at a time of international tensions, firms acting for clients operating nationally significant infrastructure projects could be at higher risk, as could firms acting for Ukrainian, Russian or Belarussian clients.
Infolegal has produced a Factsheet dealing with Ransomware and the Law Firm which is available to all Infolegal InfoHub users.
The Report also looks at a growing trend of firms being affected by cyber-attacks on third parties. This can be direct, with criminals compromising the third party and attacking its customers with malware and indirect, where an attack on a provider harms the firm and its clients. Examples encountered by the SRA include a compromised system at an IT service provider, which the criminals used to spread malware to the firm’s customers and an attack on a barristers’ chambers. Both of those spread to multiple solicitors’ firms.
The Report goes on to predict that cybercriminals, aware that firms are focusing on the security of their IT systems, might make greater use of false physical documents or newly emerging scams where criminals carry out focused attacks using voice-modification software in calls to impersonate a solicitor.
To combat these threats, the Report suggests that firms need to take various steps to make themselves less likely to be affected by such attacks. This includes changing the firm’s culture so that staff are more likely to report potential breaches without suffering blame, putting in place security systems such as multi-factor authentication, checks on those with whom the firm has dealings and ensuring that staff are better trained in all aspects of cybersecurity. Infolegal InfoHub users have access to wide range of training materials including guides and factsheets dealing with various areas of cybersecurity and training courses dealing with cybersecurity, data protection and funds authorisation processes.
The information security report can be found on the SRA website at www.sra.org.uk/sra/research-publications/risk-outlook-report-information-security-cybercrime/ whilst a linked report entitled “Innovation in a competitive landscape” can be found at www.sra.org.uk/sra/research-publications/risk-outlook-paper-innovation-competitive-landscape/.
See also our own article “Solicitors and Cybersecurity” published in March of this year.