By Legal Futures Associate Miller Insurance [1]
The recent cyber-attack on the Legal Aid Agency, which may have exposed sensitive personal information belonging to thousands of vulnerable individuals, is a stark reminder that no organisation is immune.
The latest in a string of high-profile incidents, including the Co-op and M&S Food, what lessons can professional firms take away from these incidents?
Key lessons
- Don’t delay security-critical IT investments. Security-critical upgrades are not optional or something to “get around to”. Delays create openings that cybercriminals are all too ready to exploit.
- No firm is too small. Cybercriminals are constantly adapting and opportunistically targeting different sectors. Assuming your firm is too small or niche to be a target is dangerous, and wrong.
- Cyber-attacks go beyond IT. A breach or attack can disable your operations for extended periods, leave you vulnerable to large professional claims, and cause lasting reputational damage. Preparedness must go beyond the IT department.
The Legal Aid Board’s IT vulnerabilities have reportedly been known for years*. Similarly, the retail sector – particularly e-commerce – faces growing exposure having grown exponentially in the last decade. Despite this explosive growth, DataDome’s 2024 Security Report found that only 10% of e-commerce websites are fully protected against malicious bots. High-profile organisations may be obvious targets for certain types of (state-sponsored) criminals, but smaller firms often make easier ones.
If you’ve ever commissioned a penetration test, you’ll know how quickly vulnerabilities can be found, and exploited. Many criminal groups openly sell lists of exposed businesses on the dark web, putting thousands of potential victims in reach of even unsophisticated attackers.
Cyber-attacks in the UK and Europe have soared following the advent of the war against Ukraine, and the number of significant global conflicts and ‘cyber warfare’ extends well beyond governmental agencies. AI-powered cyber-attack tools now lower the technical barrier for launching devastating attacks. In short: if you’re not actively preparing, you’re gambling with your clients, your data, and your business.
Priority actions for professional firms
- Audit your critical infrastructure as a matter of priority. Commission an independent security assessment of your digital systems and critical IT assets by a reputable specialist.
- Eliminate outdated systems. Identify and replace all devices running on outdated or unsupported operating systems. This includes Windows 10, which is now in its final months of support. If staff use their own devices for workplace activity, ensure this audit also extends to them.
- Monitor implementation of security updates. Ensure that all staff have implemented all recent security patches and software updates.
- Provide regular and practical training to all staff. Do not simply rely on online modules or circulating bulletins. Conduct regular, practical and interactive training sessions that make cybersecurity tangible and relevant to all teams.
- Review supplier cyber readiness. Ask your business-critical suppliers about their cybersecurity measures. Look for ISO27001 accreditation as one indicator.
- Stress-test your business continuity plans. Use realistic cyber-attack scenarios to test – and refine – your incident response and continuity procedures. The National Cyber Security Centre has guidance on their website. [2]
- Reassess your insurance cover. Ensure your policies provide immediate, practical support in the event of a cyber-attack – not just after-the-fact compensation. It is also advisable to review your limit of indemnity. Although an extreme example, M&S have estimated that they will take a £300m hit to profits, and if the reports of a £100m insurance tower are accurate, there is clearly a significant shortfall.
The Legal Aid Agency breach should not act as another ‘warning’, but a call to action for firms to take cyber-attack prevention seriously. A passive or “wait and see” approach is no longer viable.