Nation states and hacktivists are cyber threats to law firms in addition to criminals, the government’s National Cyber Security Centre (NCSC) has warned.
The NCSC, part of GCHQ, said “entrusting law firms to safeguard highly confidential, commercially sensitive, and often personal information makes them prime targets for cyber criminals and other attackers”.
Its updated Cyber Threat to the Legal Sector report, last published in 2018, said cyber-criminals with a financial motive remained the primary threat to the legal sector, ranging from advanced, professional groups to small-scale fraudsters.
“Criminals can buy ‘off the shelf’ services from more experienced cyber-criminals, and so do not need advanced technical skills themselves.
“This change has led to an increase in the scale of cyber-crime, with criminals indiscriminately attacking thousands of organisations – large and small – using predominantly automated tools that require little technical knowledge.”
The NCSC said it was also increasingly seeing ‘hackers-for-hire’ who earn money through commissions to carry out malicious cyber-activities for third party clients, “often involving the theft of
information to gain the upper hand in business dealings or legal disputes”.
It added: “For their clients, they provide technical capabilities and deniability of involvement in the cyber-attack were it to be discovered.”
But there were other risks, including nation states such as Russia, Iran and North Korea: “Major law firms are particularly exposed because they may be part of the wider supply chains used by nation states.
“The risk may also be greater for law firms that advise particularly sensitive clients, or work in locations that are hostile to the UK.
“State actors, for example from China, have also used cyber techniques against UK institutions for intellectual property theft, which is a further risk for law firms dealing with intellectual property rights.”
The NCSC said it has observed “some growth” in ‘hacktivists’ – hackers motivated by a specific cause – targeting law firms.
“The risk is greatest for those firms acting for organisations at odds with hacktivists’ political, economical or ideological agenda, such as those that engage in work in the life sciences or energy sectors.”
‘Insider threat’ – the deliberate or accidental threat to an organisation’s security from someone who has authorised access such as an employee, volunteer, contractor or supplier – was “particularly vital in the legal sector”, the report went on, “as many members of staff will have levels of access that are potentially of use to criminal groups”.
The report includes guidance and steps to take to combat evolving cyber-security threats.
NCSC chief executive Lindy Cameron said: “Firms are vulnerable in new ways due to changing patterns of work – accelerated in the Covid-19 pandemic – and the increasing sophistication of cyber-attacks.
“Recent examples affecting the legal sector have lead to a growing understanding of the problem at the highest levels of corporate governance, and the NCSC welcomes the increased support and investment in cyber-security we’re seeing across the sector.”
Meanwhile, research by encryption company NordLocker has found that, although the law is “one of the most vulnerable sectors to ransomware attacks”, the number of incidents internationally fell from 109 in 2021 in 52 last year.
This accounted for 2.3% of all ransomware attacks across various industries. The largest number of legal sector ransomware attacks occurred in the USA, with 36 attacks, followed by seven in the UK.
Firms with 11-50 employees were the most targeted, experiencing 18 attacks, while those with 51-200 employees faced 15 attacks. Smaller firms, consisting of 2-10 employees, were targeted seven times.
The largest law firm victim last year was the Ince Group – at the time a listed business but recently sold out of administration into private hands. The firm reported that the attack cost it about £5m.
The second-largest affected company was a US-based law firm and NordLocker said “both fell prey to the infamous LockBit ransomware group”.
Smaller legal aid organisations can apply for free support with securing Cyber Essentials certification through the Funded Cyber Essentials programme.