Law firm employee passwords “widely available” on Dark Web


Cyber security: Law firms exposed

Almost three-quarters of UK law firms have at least one employee password leaked into publicly available sources, the largest study of its kind has found.

Of the 5,140 firms audited, 72% had one or more instances of employee username and password combinations evident in lists circulating on the Dark Web, which cybercriminals could use to enter a firm’s IT system.

In total, researchers found just over a million passwords relating to firms in the study, an average of 195 password combinations per firm.

IT services company Atlas Cloud conducted non-intrusive cyber security audits, meaning there was no attempts at hacking.

It found further cyber-threats, with DMARC, a key protective factor that stops criminals from hijacking corporate domains, implemented by only 46% of firms – a hijacked domain would allow a criminal to send emails that appear to come directly from the firm.

More than half (54%) of firm’s ‘digital attack profiles’ were large, but few of these were actually large firms, as they had better protections in place.

Pete Watson, chief executive of Atlas Cloud, commented: “When it comes to cyber security, being a mile wide and an inch deep doesn’t do you any good. If the majority of big firms can operate a small attack profile, any firm can.”

One in seven firms had the government’s Cyber Essentials certificate, covering a range of defence mechanisms. This is recommended as part of Lexcel accreditation and is required for all public sector case work.

At least 53% of firms had adopted specialised phishing protection technologies that filter out emails suspected as impersonation, a tactic that standard ‘spam’ filters aren’t able to recognise.

Mr Watson added: “The sheer volume of password combinations available to criminals is a stark reminder of the threat that cyber poses to a firm. You can minimise this risk by applying multi-factor authentication on your systems, which adds an additional one-time authentication token, but criminals have been known to find ways around this too.

“It’s circumvented by tricking users to do something. That means the only true way to eliminate this threat is ensuring everyone representing your firm has a strong awareness of the tactics criminals are using today.”




Leave a Comment

By clicking Submit you consent to Legal Futures storing your personal data and confirm you have read our Privacy Policy and section 5 of our Terms & Conditions which deals with user-generated content. All comments will be moderated before posting.

Required fields are marked *
Email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog


Taking a compliance-driven approach to enhance PII renewal

Adopting a compliance-driven approach can significantly streamline and improve the professional indemnity insurance renewal process, as firms now begin to look forward to 2025.


Compliance in the age of technology

Does keeping up with best practice for your law firm in compliance, finance and risk management keep you awake at night? If so, you are not alone.


Continuing competence still in the SRA’s headlights

The SRA’s second annual assessment of continuing competence leaves lawyers and COLPs in little doubt that the regulatory spotlight is still firmly on whether skills and knowledge are being maintained.


Loading animation