Under Cyberattack: How Can Law Firms Defend Themselves?

We would like to thank our generous sponsors for making this article possible.

Amidst the surge in digitalisation, cybercriminals are mobilising on an industrial scale. 39% of businesses in the UK identified a cyberattack during 2022, with at least one in five (21%) experiencing a sophisticated attack such as ransomware or malware. Hackers have more opportunities than ever at their fingertips, meaning that an attack is no longer a case of ‘if’, but ‘when’. What’s more, given that law firms have access to valuable transactions and data, the legal sector is a lucrative target.

Taking aim: Why do cybercriminals have law firms in their sights?

Law firms are the linchpins of business and commercial transactions. They enable high value deals, handle significant sums of money and store huge quantities of confidential client data. As a result, they offer an attractive opportunity to cybercriminals looking to either steal these assets, or use them to extort the firm. This is confirmed by the volume of attacks experienced by solicitors; 75% of firms interviewed by the Solicitors Regulation Authority (SRA) had been the subject of a cyberattack.

The dramatic uptick in remote working and the increased use of processes such as eDiscovery¹ for litigation mean that more information than ever before can be accessed digitally – leaving firms especially vulnerable to attack. As a result, there is no room for complacency: the question should be less about whether your law firm will be attacked, and more about whether you will be prepared when it does.

Understanding the threat: Which kind of attacks are law firms most exposed to?

The most common cyberthreat facing law firms is phishing, or the practice of sending emails or messages to manipulate users into revealing sensitive information. In 2020, 83% of attacks on businesses were deployed via phishing techniques, with just under half (48%) reporting that phishing was the sole form of cyberattack they had experienced.  

While some examples of phishing or social engineering can be easy to identify, with spelling errors, requests for payment via links, incorrect company logos and anonymous or unknown senders all pointing towards the likelihood of a phishing attempt, techniques have become more advanced. The use of ‘spear phishing’ – a more targeted attempt which uses specific or personal information of interest to the target – means that the cybercriminal’s fraudulent email can be well informed and look indistinguishable to the real thing.

Law firms should also be conscious of other cyberthreats such as ‘man-in-the-middle’ attacks, which can be used to misdirect funds, and SQL injections (the insertion of malicious code into the target’s system, application or website). Malware and ransomware also represent risks to the legal sector, especially since the latter is designed to block access to vital systems and services, such as client databases and sensitive documents. Ransomware attacks are gathering speed, with the number of incidents reported to the Information Commissioner’s Office (ICO), doubling between 2020 and 2021.

Finally, cybercriminals rely on us to make mistakes. According to the World Economic Forum, 95% of cybersecurity issues can be traced back to human error (PDF, 5.6MB) – from clicking a fraudulent link to using an easy-to-decipher password or simply sending an email to an unintended recipient. Effective cybersecurity requires everyone in an organisation to understand the risks and take active steps to mitigate them.

Assessing the damage: What are the financial risks to law firms?

When a cybercriminal strikes, the cost – both financially and in terms of resources – can extend far beyond the attack. Directly, there is the cost of the attack itself, which could come either in the form of the funds stolen from the firm, or in the money (often in the form of cryptocurrency) demanded by the cybercriminals via blackmail. 

However there is also the aftermath to consider, in terms of the cost of complying with UK GDPR regulations. In the event of an attack that leads to a data breach, the firm must inform the ICO within 72 hours and notify any affected individual of the loss of their data, which can be expensive both in terms of time and the required expertise.

On another level, there are also the costs incurred as a result of the disruption caused to consider, particularly in the event of a ransomware attack during which all files will be encrypted and systems rendered useless. According to the SRA, one firm lost £150,000 worth of billable hours as a result of an attack which crippled their system and resulted in their solicitors being unable to do their jobs.

The financial repercussions of a cyberattack can also occur on a long-term basis in the form of reputational damages. The loss of clients’ trust can devastate a business such as a law firm, whose core proposition is dependent on reliability, responsibility and security.

Finally, although the attack is digital, the effects can be very much human. Firms interviewed by the SRA confirmed that cyberattacks caused life-changing repercussions including an increased level of stress and debilitating anxiety among staff, impacts on employee’s ability to retire, and firings and demotions.

Locked out

In 2021, a solicitors practice based in London discovered that their system had been subject to a ransomware attack and they had been locked out of all of their client and case information. The firm also found a note on their system alleging that their data had already been stolen. 

The firm’s cyber insurance providers advised them to both appoint an IT forensic firm to recover the affected systems and retain a law firm to assist with notifying the ICO of the breach, given there was a risk to employees and clients.

Initially the firm tried to obtain backups of their client files, however this process required significant time and the involvement of the developers of the case management system. The firm had already experienced disruption and reputational damage and couldn’t afford to wait. With no other option and assisted by the forensic firm, they commenced ransom negotiations.

The firm’s insurance claim totalled £150,000, which covered the cost of the legal and forensic IT consultancy (£50,000) in addition to the cost of the reputational damages and business disruption.

Triple threat: In some cases, even if companies pay the ransom, the attackers might employ Triple Ransom Extortion, in which they ask the firm to pay again and threaten them with the prospect of uploading the data on a website such as WikiLeaks. They might even then be asked to pay the ransom a third time, else the data will be released to the media. Any recovered data needs to be forensically cleansed and can’t simply be restored.

Before paying the ransom, the affected law firm should also work with experts to verify that the attackers aren’t representing a terrorist organisation. The National Cyber Security Centre offers more advice and guidance on this topic.

“Threat-actors arbitrarily attack organisations and activity has only proliferated owing to the increased surface-attack area amid remote working, and the increased cross-pollination of supply chains. Coupled with a greater dependency on outsourced IT vendors and an ever-increasing move to public cloud platforms, this presents greater opportunities for the exploit of personal data or the infiltration of funds; stored, transferred or held in escrow. It is not a matter of if, but when, for organisations of any operation or size.”

Simon Brookes, Managing Director, Financial and Professional Risks, AJ Gallagher

Building the shield: How to develop a cyberdefence strategy

Just as you’d use a number of different security measures to keep your physical premises safe – from multiple locks to alarms and security cameras – the same should be true when it comes to defending your business online.

Here are seven tips to ensure that your firm is prepared in the event of an attack:

Plan for action: Develop a cyberattack incident management strategy. Identify the company’s critical information, assets and services and understand where they are stored. Select key individuals who will take charge when an incident occurs, which actions should take place to manage the event, and note the details of IT vendors and cyber liability insurance policies. Currently, just 19% of businesses have a formal incident response plan, while 39% have assigned roles in the event of a crisis. 

Go offline: Keep a hard copy of the strategy so that if the firm’s system is locked as a result of a ransomware attack, the information is still accessible.

Brick by brick: You can consult the step-by-step guidance offered in Lloyds Bank’s Cyber Guidance (PDF, 5.1MB) brochure. For a more comprehensive view, we strongly recommend that you consider becoming certified through the government’s Cyber Essentials scheme.

Knowledge is power: Mitigate the risk of human error by training all colleagues on topics including how to spot phishing emails through tests or simulations, how to set up secure passwords, and how to safeguard client data, as well the processes to be followed when transferring sums of money.

Duplicate and defend: Backup all files offline regularly (not connected to your network) to minimise disruption and loss in the event of a data breach or ransomware attack. These should be kept offline also to avoid threat actors compromising these also – leaving the firm with no viable backups with which to restore systems from.

Gain peace of mind: Given that 31% of UK businesses experienced a cyberattack at least once a week during 2022, law firms cannot afford to be unprepared. Lloyds Bank offers bespoke cyber liability insurance2 through our partner, AJ Gallagher, which can include a review of your exposure to cyber liabilities, help with developing cyber risk management procedures, and recommendations of firms to help you respond to an attack.

Maintain operations: It’s estimated that in 2022, the average estimated cost of each cyberattack was £4,200, rising to £19,400 when looking exclusively at medium and large businesses. If unprepared, the financial ramifications of a cyberattack can choke a business’ cashflow, leaving the business itself in jeopardy. Explore working capital solutions available through Lloyds Bank to ensure that your firm can still operate if cybercriminals strike.

Where to go from here:

In addition to the above, consider the questions expressed in our Cyber Risk Guidance (PDF, 5.1MB), such as:

• Who might want to attack your firm, and what might the impact of a successful attack be?
• Do you have a risk appetite for different types of cyber events impacting your businesses?
• Do you know where your business is vulnerable and how you can resolve this?
• Have you risk assessed how well your critical assets are protected?
• Do you have a process to regularly review key information, data assets, and the cyber threat to your business?

As digital transformation surges, cyberattacks on businesses – especially in the legal sector – have become inevitable. Lloyds Bank is here to support you as you develop your cybersecurity strategy, so speak to your Relationship Manager for more information on how we can play a role in defending your firm.

¹ eDiscovery is a process that enables solicitors to identify and supply digital information that can be used as evidence.

² Lloyds Bank plc is an introducer to Arthur J. Gallagher Insurance Brokers Limited who arrange and administer Lloyds Bank Business Insurance Services and source products from a panel of insurers.

Originally published at: Lloyds Bank