By Legal Futures’ Associate The Cashroom [1]
Cyber crime is rife within the UK with the legal sector continuing to be a jewel in the crown for cyber criminals.
Whilst a myriad of reports into the UK’s ability to defend itself against cyber crime often offer conflicting statistics, one thing is unanimous; the threat to the legal sector is significant and increasing.
According to the Cyber Security Breaches Survey 2019, released by the Department for Digital, Culture, Media and Sport (DCMS), 32% of UK businesses had reported that they had experienced a cyber security breach in the last 12 months.
Whilst this figure represented a fall in breaches from the 43% reported a year earlier, over a third of all businesses that admitted a breach also claimed the attack resulted in a loss of data or assets.
The report highlighted the importance of making sure all law firms take their cyber security seriously, especially considering the amount of personal data and client money that law firms often hold.
The DCMS report highlighted a need for UK law firms and businesses to improve the basic standards and protocols concerning the golden triangle of cyber hygiene: people, processes and technology.
Only 33% of UK businesses were already writing robust cyber security policies in 2019. During the 2018 report, only a fifth of UK businesses trained their staff to become cyber aware; in 2019, this had only increased to 27%.
Similarly, a joint report between the Information Commissioner’s Office (ICO) and New Zealand’s data watchdog equivalent, New Zealand Information Commissioner’s Office, found that only 38% of UK businesses offer cyber training to ensure their staff are aware of and understand how to deal with cyber attacks.
Shockingly, 9% of the 667 organisations approached, did not provide any formal training on data protections or cyber security.
Adequate staff training continues to remain a factor in poor cyber hygiene that could cause catastrophic reputational and financial damage to any law firm. It could be extremely easy for even the most tech savvy individual to fall foul of cyber scams, using social engineering methods, if they are not trained to spot the warning signs.
The Solicitors Regulation Authority issued 217 scam alerts on their website last year, informing law firms and the public about the sophistication of cyber criminals replicating reputable and genuine law firm websites and spoofing email addresses in a bid to use social engineering tactics to steal client money and trick law firms.
In the past three months, magic circle law firm Linklaters have reported a number of attempts on their email domain. Each time, subtle changes were made in an attempt to look like the original, using the actual domain of @linklaters.co and adding a single letter like @linkiakers.com’ and ‘@linklalers.com, to trick the recipient.
Despite the fact that 153,926 people viewed the warnings, many of whom are solicitors and law firms, it can be seen that the threat is still not defended with any gusto.
The DCMS report found that 80% of UK businesses had experienced sustained phishing attacks (cyber criminals using identical or similar email domains to convince people to part with money and information) in 2018.
Unfortunately, email fraud has become a lucrative business for criminals in recent years. The UK Finance report ‘Fraud the Facts 2019,’ malicious redirection fraud, or using a convincing email to convince a home seller or their law firm to change the bank details for any payment, resulted in losses of more than £123 million in 2018 alone. This figure represents 7,544 cases with an average loss of £20,750.
Impersonation fraud, the act of using fake domain websites and email addresses extremely close to the originals, also cost the UK £92.7 million with 10,924 people and businesses impacted by these sophisticated and persistent attacks.
Layers of protection
According to the Financial Commissioner’s Office, The UK has amassed a total of 10,600 notified breaches since May 24th of last year. This equates to over 1,000 notified breaches per month and over 42 per day. When breaches are so frequent and attempted attacks are even more persistent, how can law firms ensure they are able to defend themselves?
A raft of regulators, like Lexcel and CQS, have urged their members to adopt Cyber Essentials, a government backed accreditation/questionnaire aimed at encouraging business owners to consider the ways they protect their business from cyber threats.
Changes to the SRA standards and regulations, set to come into force on November 25, also look to expand the role of the Compliance Officer for Legal Practice (COLP) so that they take a more active role in staff training and awareness of how to prevent significant breaches. This may mean that employees should receive regular training and may face increased accountability in the future.
Similarly, firms should have protocols, procedures and responses securely in place, so staff are aware of the next steps if and when a serious breach occurs. Ensuring that your law firm is cyber aware is not only a definitive way of protecting the firm’s reputation and data, it is also a regulatory imperative.
As the threat of email impersonation and spoofing increases, using email encryption to ensure the message you send is received by the intended recipient, or DMARC email services that ensure the law firm’s domain is spoof proof can also offer increased protections.
However, this threat will remain, and law firms will continue to suffer unless cyber security becomes an embedded consideration and process throughout the business.
Email Address: Alex.Holt@thecashroom.co.uk [2]
Website : https://www.thecashroom.co.uk/ [3]