The importance of cybersecurity for law firms of all types and sizes cannot be overstated and with the continuing growth in the number of cybercrimes that are being carried out, being complacent about the chances of it affecting your firm is not really an option.
The report from earlier this month, that criminal defence firm Tuckers had been fined £98,000 by the Information Commissioner for its failure to secure sensitive papers that were later published on the dark web, shows that the penalties can be severe. However, a £98,000 fine could just be the thin end of the wedge if your firm were to lose sensitive commercial data belonging to a client or be one of the countless victims of conveyancing fraud.
As solicitors become ever more reliant upon technology, so too do they become more at risk of being exposed to cybercrime. Law firms in particular provide an attractive opportunity for cybercriminals wanting either to gain access to confidential information or to obtain client money and as the use of cyber resources increases, so too do the number of cyberattacks.
Despite this there is still an underlying current of thought amongst some that cybersecurity incidents are either the invention of the cybersecurity industry or something that only happens in films or to other people. They are not, and are a real threat, especially for law firms, and one that is growing by the day. The Cyber Security Breaches Survey 2021[1] produced for the Department for Digital, Culture, Media and Sport found that four out of ten businesses had experienced cybersecurity breaches or attacks in the previous 12 months with more than one in five of them resulting in the loss of money, data or other assets.
Law firms handle a huge amount of confidential information and often hold and transfer substantial amounts of client money. It is inevitable, therefore, that they are more likely to be subject to external cyber threats than most other businesses. The PWC Law Firms Survey 2021[2] found that 90% of the law firms involved in the survey regarded cyber risk as the biggest threat to their future growth ambitions. The Solicitors Regulation Authority has stated in its Risk Outlook 2020-2021[3] that in the first half of 2020, it had been informed that nearly £2.5m of money held by firms had been stolen by cybercriminals, over three times the amount reported in the first half of 2019.
It is worth bearing in mind that the problems associated with cybersecurity are growing and criminals and fraudsters are stepping up their efforts to capitalise on the opportunities which technology, and the growth in use of the Internet, offer in particular in relation to e-commerce, online banking and law firms. Since Covid lockdown and the growth of homeworking this has increased yet further as more workers operate from home rather than from behind secure firewalls in offices. The National Centre for Cyber Crimes[4] reported a 337% rise in phishing scams in the first two months of the first national lockdown and the SRA reported that cyberattacks increased by 400 per cent in the first few weeks of the first lockdown in March 2020 as criminals took advantage of people working from home often without the normal security measures.
Cybercrime Magazine predicted in its 2022 Cybersecurity Almanac[5] that global cybercrime costs will grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015. What is more, cybercrimes are vastly undercounted because often they aren’t reported whether due to embarrassment, fear of reputational harm, fear of increased insurance premiums or the belief that law enforcement can’t help. Some believe that as few as 10 percent of the total number of cybercrimes committed each year are actually reported. By 2031 it is estimated that crimes involving ransomware alone will cost victims over £200 billion annually.
In its report Crime in England and Wales for year ending September 2021[6], the Office for National Statistics revealed that there was a total of 1.9 million computer misuse offences, an increase of 89% compared with the year to September 2019 with a 161% increase in “Unauthorised access to personal information (including hacking)”.
The Threats faced by law firms
So, what are the threats that law firms face?
In its 2018 Report “The cyber threat to UK legal sector”[7], the National Cyber Security Centre highlighted four key areas of threat for law firms. These were phishing, data breaches, ransomware, and supply chain compromise.
The SRA, on the other hand, in their 2018-2019 Risk Report[8], stated that, in the first quarter of 2018, “email modification fraud accounted for more than 70% of all cybercrime reports with most other cybercrime reports also involve some form of forgery to deceive targets into responding, rather than explicit hacking of the firm’s systems.” In addition, it listed phishing, malware, CEO fraud and identity theft as the main areas for concern. The Risk Outlook (2020-2021)[9] has added that “Ransomware is becoming more serious. It is not always possible to recover affected data, even after paying the ransom. As well as denying access to files, it increasingly copies the information and threatens to release it. Firms should now assume that a ransomware attack has breached confidentiality of the information they hold”.
Basically, therefore, the conclusion one must reach is that law firms face all of the threats that all other businesses face including malware, viruses, phishing and vishing attacks, email fraud, identity theft, data theft and destruction, CEO fraud, bank fraud, ransomware attacks, data breaches, supply chain fraud, problems with disaffected or rogue staff and scams, to name but a few. The “key” threats, however, appear to be:
- Email modification fraud – occurs when criminals intercept and falsify emails between a client and the firm, often leading to bank details being changed and money being lost;
- Friday afternoon fraud – this gets its name from the fact that fraudsters will wait until the busiest time of the week to perpetrate a fraud – which in a conveyancing firm is usually Friday because of the number of completions – and either attempt an email modification fraud or a phishing attempt to try and get bank login details;
- Phishing and vishing – using emails and phone calls to get staff to reveal important information about the firm’s clients, its accounts and banking information or other sensitive data;
- Malware – getting firms to allow malicious software onto their systems which allows criminals to access the firm’s system or record information such a keystrokes or user activity;
- Ransomware – a rapidly growing threat where the cybercriminal denies the firm access to its system or encrypts data until such time as a ransom is paid;
- Identity theft – gaining access to firm and individual information. and then using that information to impersonate the firm or a member of the firm so that a fraud can be perpetrated.
Aside from intentional criminal acts, law firms also need to be aware of the cybersecurity threats that can arise from “non-malevolent” sources – for example threats from poor security practices, negligence, carelessness and loss by accident.
These can include inadvertently disclosing confidential information over social media, emails sent to the wrong recipient or the wrong document being attached to an email, being overheard having a conversation about a confidential matter, losing files or electronic devices or allowing laptop screens to be overlooked whilst on public transport or in a coffee bar.
The cost to the firm
There is, naturally, a cost to the firm from falling for this increased cyberthreat activity. As the SRA has pointed out in its publication “Information and Cyber Security”[10], additional costs of cyberattacks to firms include:
- higher insurance premiums
- having to pay for financial losses
- lost time
- damage to client relationships
- lost jobs
- stress and pressure on staff.
For example, the SRA’s “Cyber Security – Thematic Review”[11] published in September 2020 reports that 23 of the 30 cases in which firms were directly targeted saw a total of more than £4m of client money stolen with one firm losing around £150,000 worth of billable hours following an attack which crippled their system.
Just last year the Law Society’s Gazette[12] reported that the purchaser of a house was scammed into handing over £640,000 to criminals after emails to their solicitor were intercepted. The criminals created a fake email account that looked like the solicitor’s email and provided payment details on headed paper via the spoofed email and got the purchaser to pay money into a fraudulent account. Most of the money was never recovered and the purchase collapsed.
It is worth bearing in mind that, where money is lost from client account as the result of cybercrime, the primary responsibility for replacing that money lies with the solicitor. In 2019, a firm of solicitors was tricked by a phony email into sending more than £600,000 from the proceeds of a client’s house sale to a criminal’s bank account. The fraudsters had set up an email account which was only different by one letter from that of the client’s true email address so that it would appear to her solicitors that the request for the payment of money by them had come from her.
Aside from the purely financial cost, there is also the regulatory and reputational cost to a firm. Failing to take adequate steps to protect the confidentiality of client information is in all likelihood going to be a breach of Principles 2 and 7 of the SRA Principles as well as a breach of paragraph 6.3 of the SRA Code of Conduct for Solicitors Els and RFLs which requires that “You keep the affairs of current and former clients confidential”. Failing to take steps to ensure that client money is not misdirected could amount to a breach of paragraph 4.2 of the same code which requires that “You safeguard money and assets entrusted to you by clients and others”. You may also, as in the Tuckers case mentioned earlier, be in breach of data protection regulations and legislation and your firm could be fined by the ICO for failing to protect personal data.
Staying safe
So what should firms do in order to avoid being the victim of cybercrime or a cybersecurity breach?
Clearly the most obvious step is to ensure that from a technology perspective their systems are secure and effective. That means having in place firewalls, anti-virus and anti-malware protection and making sure that all operating systems and programmes are kept up-to-date. It also means reviewing security settings on devices and software and ensuring that access to sensitive data is controlled.
However, quite often the weakest link in any IT security programme is the people that use it – in other words partners and staff. For that reason, firms need to ensure that everyone is trained in understanding the threats that exist and how to avoid them, procedures need to be put in place to make sure that phishing attacks do not occur or that malware is not inadvertently uploaded to the firm’s system. Everyone needs to understand the importance of passwords, of not inadvertently disclosing sensitive data and information and of the need to ensure that confidential information is not disclosed from being displayed on screens in areas to which the public has access.
Most crucially, is the message that cybersecurity is the responsibility of everyone – not just the IT department – and that with a little thought and preparation many of the issues that do arise can be avoided.
How can Infolegal help?
Infolegal offers firms a range of information and guidance on different areas of cybersecurity including social media, email use, passwords, data protection, ransomware and dealing with cybersecurity breaches. It has a range of policies covering most of the areas of cybersecurity that firms can implement and provides comprehensive cybersecurity training courses that can be rolled out across the firm.
For more information phone us on 0203 371 1064 or email at enquiries@infolegal.co.uk.
[1] https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2021/cyber-security-breaches-survey-2021
[2] https://www.pwc.co.uk/industries/legal-professional-business-support-services/law-firms-survey.html
[3] https://www.sra.org.uk/sra/research-publications/risk-outlook-2020-21/
[4] https://www.ncsc.gov.uk/report/weekly-threat-report-21st-august-2020
[5] https://cybersecurityventures.com/cybersecurity-almanac-2022/
[6] https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/bulletins/crimeinenglandandwales/yearendingseptember2021
[7] https://www.ncsc.gov.uk/report/-the-cyber-threat-to-uk-legal-sector–2018-report
[8] https://www.sra.org.uk/sra/research-publications/risk-outlook-2018-2019/
[9] https://www.sra.org.uk/sra/research-publications/risk-outlook-2020-21/information-and-cyber-security/
[10] https://www.sra.org.uk/sra/research-publications/risk-outlook-2020-21/information-and-cyber-security/
[11] https://www.sra.org.uk/sra/research-publications/cyber-security/
[12] https://www.lawgazette.co.uk/practice/emails-intercepted-in-640000-conveyancing-fraud/5110269.article