Blog

Cyber-attacks against law firms are becoming increasingly prevalent with thousands of attacks occurring daily.

No business of any size can ignore the heavy media coverage of cyber security and the threats that are presented with it. The latest cyber-attacks making the headlines have typically been large consumer organisations, such as Tesco, Yahoo and Talk Talk.

However, cyber-attacks against law firms are increasing and repeatedly targeted due to the vast amounts of money, information and client data that they retain. This is a troubling realisation, considering they are inherently built upon strict confidence and trust from clients. Even taking this into account, many firms do not even know they have been compromised when a cyber-attack takes place. By the time they realise a breach has taken place, significant damage may already have been done, with most then not knowing what to do next.

Cyber-attack statistics

• There are over 4,000 cyber-attacks every day. That’s 170 attacks every hour, or nearly three attacks every minute.
• Cyber-attacks against law firms are rising with 73 of UK top 100 targeted
• Cyber-attacks have grown by more than 60% in the last two years, with the number of top 100 law firms experiencing an attack rising from 45% in 2013/14 to 73% in the most recent financial year.
• The concentration of cyber-attacks against law firms was highest among larger organisations, with 90% of the top 25 law firms experiencing a threat.
• 55% of firms targeted by cyber-attacks had been victims of attacks with viruses or other malware, while 16% of those targeted had faced significant attempts to break into their firm’s network.

The logical question to ask about the consequences of a cyber-attack is ‘what is the cost to the business’? According to Ponemon’s Cost of Data Breach Study: Global Analysis, the average consolidated total cost of a data breach in the UK is £2.37 million (a 7% increase in 2013). The study also finds that the average cost incurred for each lost or stolen record increased from £95 to £104.

For large law firms, this would be a major inconvenience, however, they are not the only ones being targeted. Smaller firms are being targeted just as much, as cyber criminals may actually see them as an easier target due to the potential lack of infrastructure to prevent and respond to a cyber-attack. A well-executed cyber-attack could threaten the core of their business from the sheer cost of the attack alone.

Regardless of whether or not a firm is specialising in a magnitude of services on an international scale, or a boutique firm huddled away in a quiet town, it is just as important that they have cyber security measures installed and their employees educated. Although many are now more than conscious of the importance of cyber security, there are still those that lack a decent understanding of what precautionary measures to take to mitigate risks (and those who are still ignorant to the threats).

Types of cyber-attacks

• Phishing attacks:  This an attempt to obtain sensitive information or gain access to client funds by masquerading as a trustworthy source via email. These are some of the most common cyber security incidents faced, with 84% of firms falling prey to such an attack.

• Spear-phishing campaigns: There is also an internal threat, with 41% of law firms suffering a security incident that was caused by staff. Spear-phishing is an email fraud attempt that targets a specific organisation and appears to be from an individual or business that you know. Symantec reported that spear-phishing campaigns targeted against employees, increased 55% in 2015.

• Ransomware:  Ransomware increased 35 percent in 2015 as cyber criminals capitalised on the profitability of such an attack. This type of attack targets Mac’s, PC’s and also smart phones, encrypting the devices until a ransom has been paid. Ransomware is typically spread via unsolicited emails and employee’s clicking on genuine looking links.

• Website vulnerabilities:  Symantec reports that there were over one million web attacks each day in 2015. Cyber criminals continue to take advantage of vulnerabilities in legitimate websites to infect users, as website administrators fail to secure their websites. Nearly 75 percent of all legitimate websites have unpatched vulnerabilities.

Reputational Damage

When a cyber security breach takes place, one of the immediate questions asked is the cost implications to the business. This is of course not to be taken lightly, but due to the nature of the work undertaken by law firms, reputational damage needs to be taken just as seriously. Major law firms deal with vast amounts of sensitive data and are entrusted by their client’s to keep this confidential and secure. This relationship is a foundation on which the legal profession is built upon.

A potential breach of this data incurred from a cyber-attack could seriously cripple a firm’s hard built reputation within the legal industry. Something that may not be easy to recover from.

Even with preventative measures in place, breaches can still occur as cyber criminals consistently evolve their attacks. A zero-day attack is a good example of this, which refers to a security hole in software that is unknown to vendors. This is exploited by hackers before it is identified and fixed. Symantec reported that in 2015, the number of new zero-day vulnerabilities discovered more than doubled to 54, a 125% increase from the year before.

CYFOR Secure

For over 14 years’, CYFOR has been providing a proven solution to identify, secure and prevent a wide range of vulnerabilities. Starting from initial consultation to identify your firm’s resilience to a cyber-attack through to being protected if an employee steals sensitive company information. A detailed report will provide all recommendations to secure your company, complemented by a guide on how to remediate those risks in the most efficient manner when faced with a data breach.

This service offering is in response to these cyber threats, as we understand that every firm relies on the confidentiality, integrity and availability of its data. Lack of security awareness results in exploitation, loss of revenue and reputational damage. Managing these risks and protecting electronic information should be an integral part of any organisation’s information security policy.