Cybersecurity experts say law firms need to act more proactively on cyber risk
Threats such as ransomware attacks are getting more sophisticated, according to SecurityHQ
Law firms need to do more to protect themselves against cyber threats and safeguard against reputational risk, according to cybersecurity provider SecurityHQ.
A 2020 report from the Solicitors Regulation Authority found that 75% of firms in England and Wales have reported being victims of a cyber attack, with almost a quarter of those being directly targeted resulting in more than £4m of client money being stolen. Half of those firms were found to have allowed unrestricted access to external data storage, the report said.
Over the past five years cyber attacks have evolved and become more sophisticated, meaning law firms need to be more proactive about potential threats rather than being reactive. SecurityHQ’s Eleanor Barlow says that financial gain is the purpose of most attacks in the industry, with the majority of breaches coming from a supply chain attack or ransomware and phishing attacks. Last year, for instance, US firm Campbell Conroy & O’Neil was hit by a ransomware attack that prevented it from accessing client files.
To limit the risk of ransomware attacks, firms should deploy advanced cybersecurity tech that can stop new ransomware strains rather than relying on conventional security tools that can only detect previously known strains.
Phishing attacks are also on the rise, which often precede a ransomware attack, Barlow says. Phishing attacks are typically directed at the legal sector in the form of corrupt emails that contain malicious links, she says. That means legal practitioners should be wary of attachments sent by unknown or untrusted senders and avoid clicking links that are suspicious.
Supply chain threats for law firms include the exploitation of third-party data stores, case management systems and legal software providers.
Law firms also need be wary of insider threats, says Barlow. That could be unintentional breaches by individuals who are unaware that their actions have enabled an attack due to a lack of training. It could also be an individual who deliberately leaks information for personal gain.
With all that in mind, firms should put in place advanced detection and response cybersecurity systems to combat breaches and introduce behavioural analytics software to detect if employees are acting unusually, Barlow says.