Legal Industry Sector-Specific Considerations
Challenges
- Reputation is critical to the business of law, which makes legal practices attractive targets for extortion.
- MFA is more time-consuming
UK Government NCSC comments:
- Confidentiality: Entrusting law firms to safeguard highly confidential, commercially sensitive, and often personal information makes them prime targets for cyber criminals and other attackers. The results of accidental internal data breaches can be equally as challenging.
- Integrity: Law firms routinely handle highly sensitive client information that may be valuable to criminal organisations with an interest in exploiting opportunities for insider trading, gaining the upper hand in negotiations and litigation, or subverting the course of justice.
- Availability: Disruption to routine business operations can be costly to legal practices, both in terms of billable hours lost due to outages and costs to clients that depend upon them, making legal practices particularly of interest to ransomware gangs aiming to extort money in return for restoration of IT services.
- In many areas, from mergers and acquisitions to conveyancing, legal practices handle significant funds. The time pressures associated with transactions (as well as the large numbers of suppliers and clients and complex payrolls that law firms handle) create attractive conditions for phishing attacks and business email compromise.
- Many legal practices, especially smaller firms, chambers and individual practitioners, rely on an external IT services provider, making it challenging for them to assess for themselves whether the controls they have in place are appropriate to the risk they face.
- A small law firm with few resources could be devastated if caught up by (for example) a ransomware attack. They are more vulnerable to attack, perhaps via unpatched vulnerabilities on unmanaged devices, or due to untrained staff or poorly offboarded leavers. Once attacked, a relatively small financial or reputational loss may be disastrous.
Cyber attacks
- The Solicitors Regulation Authority (SRA) reported in 2020 that 75% of the solicitors' firms they visited for their cyber security thematic review had been the target of a cyber-attack in the past.
- The SRA2 reports that 18 law firms were the victims of ransomware attacks in 2021.
- Nearly 75% of the UK’s top 100 law firms have been affected by cyber attacks, and for smaller firms that have little or no dedicated cyber security and IT support, the risk of incidents like ransomware attacks is on the increase
- NCSC Report: https://www.ncsc.gov.uk/files/Cyber-Threat-Report_UK-Legal-Sector.pdf
