Posted by Jennifer Williams, head of IT and security specialist at Legal Futures Associate Lawyer Checker
Cyber-attacks are becoming ever increasingly low tech, but more wide ranging. According to the Solicitors Regulation Authority, in the first six months of 2019, law firms reported a loss of £731,250 of client money to this type of crime.
The old image of the master hacker nerd in a bedroom tapping into networks of huge organisations for fun and prestige is no longer relevant. There are now huge organised crime gangs, not only targeting large businesses but also individuals and SMEs.
According to the government, there are around 1,400 criminal organisations actively targeting the legal sector at this very moment. They are no longer using traditional technical hacking techniques, but relying on social engineering to persuade someone to divulge information, click a suspicious link or perform some other action, which causes the user to effectively ‘self-compromise’.
What is the minimum level of cyber-security a law firm should have?
Good cyber hygiene isn’t difficult or expensive to implement. Firms should at least adopt the government’s aptly named Cyber Essentials standard. This covers basics such as proper user management, patching operating systems and software, and closing unused network ports etc.
Staff training is essential and, given that phishing and malicious emails are now the most common opener to a cyber-attack, staff training should be top of your priority list, followed by technology.
The next step is to have a well-drilled incident response procedure. This can be the difference between a cyber-attack being completely debilitating or operations being restored swiftly and with minimal reputational damage.
What are the consequences of not having adequate cyber-security measures?
The consequences are that you will inevitably suffer a breach. It’s not a case of ‘if’, but ‘when’. Statistics show that businesses are now more likely to suffer a cyber-attack than not.
The impact varies by the type of attack and the individual business. Technical attacks such as malware may be nothing more than an irritant, maybe disabling certain elements of infrastructure or making equipment behave strangely.
But they may also be used to expose massive volumes of personal data, resulting in having to report breaches to the Information Commissioner’s Office (ICO), customers and even the media.
The ICO can fine firms if they do not protect personal data. These fines can be up to £20m or 4% of a firm’s turnover, whichever is higher. The reputational damage of such attacks is immeasurable, the costs can be eye-watering and some brands never recover.
What are the early warning signs of an attack?
The reality is that most businesses don’t know they’ve been attacked until quite some time after the event – around three months is the average.
Each attack can differ greatly, but the warning signs are anything that is out of the ordinary. Of course, this means knowing what is ‘normal’ activity for your business, and this is where your IT department is vital.
For example, if a UK-based user suddenly logs on from another country, this would be a warning flag. If there are admin actions at a time when no admins are working and a sudden drop in website performance, for example – these are all indicators that an attack may have happened. The more familiar you are with your infrastructure, the easier these events are to spot and analyse.
Is storing data on-site or in the cloud better in terms of cyber security?
With on-site data stores, you remain in complete control of your data and its location, which is great from a GDPR perspective. For me, that’s where the advantages end. I personally would rather have Microsoft, which invests billions in cyber-security, look after my data in one of its high-tech data centres, than an employee on site on a potentially out-of-date server.
I sleep much better knowing that virtual servers are always patched, are protected from natural disasters through a huge network of geo-replicated services and I can scale up and add to them quickly.
What will be the big cyber-security issues over the next five years?
The most concerning issue for me is how far behind certain industries are, considering the pace of change in the cyber-risk industry. As a result, the cyber-criminals are always one step ahead.
I’m amazed at how few organisations take actions like implementing Cyber Essentials and training their staff. Law firms in particular seem to have accepted that they need to take cyber-security seriously, but so far few have taken steps to implement even the most basics of email security protocols such as DMARC or cyber-security awareness training for staff.