Most incidents of cybercrime suffered by law firms are due to individual errors and misunderstanding rather than systems being hacked, research by the Solicitors Regulation Authority (SRA) has found.
Twenty-three of the 40 firms sampled saw more than £4m stolen – while most of it was repaid by insurers, 18 firms still had to stump up £400,000 of their own money to cover the losses.
Each member of the sample was selected because the SRA had received a substantive cybercrime report about them (30 firms) or their clients (10 firms) in the previous three years.
The review said the figure of how much money was taken did not take account of the wider cost of such incidents to firms, such as higher insurance premiums, lost time and damage to client relationships.
“The financial impact of a loss of data is more difficult to calculate, but we found these often resulted in indirect financial costs.
“For example, one firm lost around £150,000 worth of billable hours following an attack which crippled their system.
“Firms also reported that attacks were not isolated incidents. Two of the larger firms we visited reported that they were targeted hundreds of times a year, although the vast majority of these attacks were not successful.”
Some 60% of the firms said they felt their biggest potential vulnerability to cybercrime was linked to the knowledge and behaviours of their staff, and the SRA said this reflected its findings that “most incidents occurred due to individual errors and misunderstanding rather than systems being hacked”.
It went on: “Despite this, we still found that only around two-thirds of staff in the firms we visited claimed to be ‘knowledgeable’ about cybersecurity and IT issues, with even some senior figures unable to answer basic questions about cybersecurity terminology.
“For firms, having knowledgeable and empowered staff is the first line of defence against cybercrime. Creating such a culture relies upon having effective policies and controls in place. Of the firms we visited, we concluded that 11 had inadequate policies in place, and 10 had inadequate controls…
“This data suggests a minority of people either knowingly accept poor policies and controls or alternatively overestimated their degree of knowledge.”
Of the firms that lost office or client money, all but one introduced mitigation to prevent a similar event from occurring: for the majority, the cost of the mitigation was less than the initial loss.
Eight firms had never provided specific cybersecurity training to their staff, while more than half of those that did failed to keep records of who had received it.
The firms had firewalls and password protection in place, with 25 of them requiring two-factor authentication when engaging in many day-to-day activities.
All firms undertook some form of data back-up exercise, while 87% were able to show they made active use of anti-virus software.
But the SRA found other commonplace practices which could potentially make a firm’s systems vulnerable: more than half allowed external data sticks to be plugged into their machines, and two firms used an old Windows operating system for which security updates had ceased in 2014, while 16 were using a system for which Windows support was due to end imminently.
Twenty-seven firms had a disaster recovery plan in place, but 15 of them admitted that it was stored on the same system that would be the target of any attack.
Though 19 firms had employed specialists to stress test their systems, 14 had taken no steps to test or audit their processes. “This is a concern,” the SRA said.
Twelve of the firms had specific cybercrime insurance, seven were part of specialist cybersecurity networks/forums and five firms held Cyber Essential Plus certification, with 16 further working toward the government-supported scheme.
“We found that firms with Cyber Essentials Plus accreditation were more likely to have good policies and procedures in place and have taken effective steps to protect themselves from future cyber security incidents,” the review said.
Although all the firms had suffered incidents, only 29 reported them to the SRA – seven “significant” incidents were not reported, despite “clear and significant breaches”.
Reports were not routinely made when clients were affected but the firm had not been directly involved, for example, where clients were tricked into sending money to a third party.
The SRA said: “Although reporting where only clients are affected is not a regulatory requirement, we encourage reporting as the information might be useful in helping our wider work to tackle cybercrime and raise awareness of common scams.”
Certain cybercrime incidents involving personal data need to be reported to the Information Commissioner’s Office within 72 hours – what was previously a voluntary requirement is now mandatory.
Nine firms had made a referral following a cyberattack, while a further nine did not report even though it appeared personal data had been accessed.
Twenty-three firms had informed law enforcement following their last cybercrime incident.
The report said: “Cyber security is an issue for any process which is wholly or partially reliant on technology, including those facilitated online, via email or through the use of any computer or device.
“However, ultimately it is a broader risk than the use and maintenance of technology alone. Firms need to have suitable knowledge and oversight to ensure they maintain a strategic approach to technology and security across the whole firm.”