With legal practices increasingly reliant on digital technologies, the guardianship of sensitive client information and financial assets has taken centre stage. A backdrop of rising cybercrime, notably propelled by Russian-backed groups amid the ongoing conflict in Ukraine, means the legal sector’s vulnerability to evolving cyber threats is now critical.
In 2023, a new report from the National Cyber Security Centre (NCSC) sounded a warning bell, highlighting that the legal sector was particularly vulnerable to cyber-attacks. This threat became a stark reality in November last year when managed service provider CTS fell victim to a cyber incident that potentially affected hundreds of UK law firms. As we move through the new year, the challenges continue to mount, from increasingly sophisticated ransomware attacks to the persistent danger of phishing.
Here are just some of the critical cybersecurity risks facing legal businesses in 2024.
Ransomware continues to be a significant threat, with cybercriminals increasingly using sophisticated methods to hack and encrypt sensitive data and demand payment for its release. In 2022, Tuckers Solicitors was fined almost £100,000 after a ransomware attack led to organised criminals publishing sensitive court bundles on the dark web.
Despite general advice to not pay the ransom, many companies choose to do so. But be warned, there is no guarantee that criminals will hold up their end of the deal if you do. After being paid – many hackers choose to go ahead and leak the stolen data regardless.
Phishing remains a common attack method. From deceptive emails to QR code-based attacks, hackers are relentless. In 2024, criminals are targeting firms of all sizes, and “for smaller firms that have little or no dedicated cyber security and IT support, the risk of incidents like ransomware attacks is on the increase.”
Last year, Snowball & Jackson (SSJ), a small firm in County Durham, was publicly rebuked by the Information Commissioner’s Office (ICO) after criminals accessed an employee’s email account through a phishing attack and accessed probate funds.
Multi Factor Faking
While multi-factor authentication (MFA) – also referred to as two-factor authentication (2FA) – is a robust security measure, cybercriminals are finding ways to circumvent it, especially where older, weaker forms of MFA are in place. Spoofing MFA pages is one tactic that is on the rise, with cybercriminals tricking individuals into entering a MFA code that will grant them access to an organisation’s genuine systems.
Artificial Intelligence (AI)
AI can be both a defensive tool and a threat when it comes to cybersecurity. For example, AI can generate compelling and personalised phishing emails, gathering data from various online sources to create comms tailored to specific individuals within a law firm, making them more likely to fall victim to the attack.
Savvy hackers can also use AI to craft malicious code that enables them to deceive security systems. And AI can create sophisticated malware that evolves and adapts its tactics to ensure the best chance of infiltration. Law firms must fortify their defences against evolving AI-powered threats.
Deepfake technology, powered by AI, is being used to create shockingly convincing audio and video recordings. Anyone who watched the latest Harlan Coben drama on Netflix will have seen how realistic these fakes can be – even going so far as to convince a widow that her husband was still alive! Today, criminals could potentially use such deep-faked recordings to manipulate employees into disclosing sensitive information or authorising fraudulent transactions.
Supply Chain Attacks
The number of companies that have suffered a data breach because of a third party is growing. And, as networks become larger and more complex, and more and more data is shared between organisations, the level of risk will continue to increase unless effective data governance occurs.
Malicious or unintentional actions by employees can pose a risk to sensitive data. Indeed, a recent study found that 60% of data breaches in the UK legal sector resulted from insider actions. Law firms must implement robust access controls and monitoring systems to detect and prevent insider threats.
Reducing the cyber risk
Protecting against attacks is crucial for law firms to safeguard sensitive client information and maintain operational integrity. Here are several proactive measures law firms can take to enhance their defences in 2024:
- Prioritise employee training. On-going cybersecurity training is essential to educate employees about the risks associated with cybercrime. This training should be regularly reviewed to ensure it is keeping up with new and emerging threats.
- Lead from the top. It is essential that senior leadership teams are engaged and informed about cyber security risk to create a culture of cybersecurity vigilance.
- Invest in comprehensive security measures. There are a plethora of security tools and measures that must be implemented to protect modern law firms from hackers. These include advanced email filtering, email authentication mechanisms (e.g. DMARC), regular backups, maintaining up-to-date operating systems, software, and applications, network segmentation, antivirus and anti-malware software, user permission management, multi-factor authentication, and more.
- Perform due diligence on third-party vendors. Assessing the security and privacy practices of your supply chain should be part of the procurement process. You should also keep a register of all third-party vendors, and the types of personal, sensitive or confidential information they process on your behalf.
- Review your Incident Response Plan. Nearly three-quarters of the UK’s top-100 law firms have been affected by cyber attacks1. As such, it is vital that your firm develops a comprehensive incident response plan that outlines the steps to take in case of an attack and conducts regular testing to evaluate and refine the incident response process.
- Ensure regulatory compliance. Making sure your firm is compliant with the latest data protection regulations and industry-specific cybersecurity standards will help counter the threat on cyber-incidents. This means regularly auditing and updating your security policies to align with evolving regulatory requirements.
In the ever-evolving landscape of cyber threats, the Legal Eye Academy offers online training that addresses emerging risks, cybersecurity challenges, and compliance issues. Our modules continually adapt to reflect the dynamic regulatory landscape, empowering legal professionals to stay informed and uphold their responsibilities in this digital age. For more information, contact us at 020 3051 2049.