The vast majority of major law firms still have significant unaddressed cyber-risk, despite repeated urging by regulators, insurers and others to shore up their defences, according to new research.
It found larger law firms especially prone to hackers taking over their website addresses to perpetrate spoofing scams, employing vulnerable servers, and using out-of-date software or invalid security certificates.
The study was conducted by tax, advisory and risk firm Crowe, in conjunction with the University of Portsmouth’s Centre for Counter Fraud Studies.
It is just the latest warning of law firms being targeted by criminals; the Solicitors Regulation Authority revealed a fortnight ago that its study of 40 law firms which suffered a cyber-attack over the past three years found that more than £4m of client money was stolen from 23 of them.
Using KYND’s anti-cyber attack technology, the researchers examined the cyber-exposure of some 200 firms, chosen for their high turnover.
Overall more than 90% of them (182 firms) were found to be “wide open to having their domains spoofed and used to send spam, phishing or otherwise fraudulent emails either internally or externally”.
Every single firm with a turnover between £1m and £10m was at risk of their website addresses being spoofed.
Further, around eight out of ten of the 200 firms were running services publicly known to be vulnerable to hackers and a similar number had at least one domain registered to a personal or individual email address, which the research said represented “a significant threat to business continuity and domain ownership”.
The research said firms could reduce the risk of email spoofing by creating a sender policy framework and a domain record to closely monitor emails being sent on behalf of the firm. These reports could alert recipients to illegitimate emails.
Out-of-date software could be identified through a register of all software used by the firm. A similar review procedure could be used to keep watch on the expiry dates of security certificates – which browsers use to create secure communications channels.
Domain names should be registered with generic firm email addresses such as firstname.lastname@example.org. Two-factor authentication, such as a code texted to a mobile phone, should be used when offered by domain registrars.
However, there was no substitute for independent verification of a firm’s security posture, which should be obtained from outside experts “irrespective of the technical capacity of a law firm’s IT team”, the study advised.
Jim Gee, partner and head of Crowe’s forensics and counter fraud services, said: “It is clear that there is an epidemic of fraud and cybercrime in the UK, and this research proves that law firms are, perhaps surprisingly, still seriously exposed.
“For an industry that is so closely associated with diligence and detail, the results are likely to come as a shock.
“Firms would do well to review their resilience. Cyber-criminals need only a sliver of vulnerability to fraudulently gain access to valuable and sensitive data; are the UK’s law firms leaving the door open?”
His colleague Louis Baker, partner and head of professional practices, noted that the top 200 law firms were likely to have substantial budgets to build cyber resilience.
“Therefore, the likelihood of smaller firms not included in this study being vulnerable to unaddressed threats is significant and should be seriously considered by their management.
“Irrespective of size or location, law firms attract cyber-criminals due to the large amounts of client money, data and sensitive information they hold.”