UK’s National Cyber Security Centre (NCSC) discovered that cybercriminals have stolen more than $14 million from clients of law firms between 2016 and 2017. Around 60 percent of legal firms reported an information security incident last year, which is an increase of almost 20 percent from the previous year, the NCSC discovered.
“Like all businesses, law firms are increasingly reliant on IT and technology and are falling victim to a range of malicious cyber activity,” Ciaran Martin, CEO of the NCSC said in the department’s report. “Losing access to this technology, having funds stolen or suffering a data breach through a cyber attack can be devastating, both financially and reputationally, not only for the firm but also its clients.”
Meanwhile, Christina Blacklaws, president of the Law Society, highlighted the reason for this huge loss by pointing out law firms are attractive targets because they handle sensitive client information and client monies as part of their daily work.
“In the post-GDPR world and as the sector delivers and transacts more online, it is vital that we get a common view and understanding of cyber threats and their impact,” Computer Weekly reported. “The Law Society sees this report as a positive step to help our members spot vulnerabilities and put relevant safeguards and protections in place.”
The NCSC report said that cybercriminals targeting the UK legal sector are financially motivated. The most significant cyber threats that law firms face are phishing attacks, data breaches and ransomware attacks.
The report also highlighted the issue of supply chain compromises while noting that this kind of attack has skyrocketed by 200 percent in 2017.
“A law firm’s supply chain can be compromised in various ways, for example through the exploitation of third-party data stores or software providers,” said the report. “Cyber security is all too often thought of as an IT issue, rather than the strategic risk management issue it actually is.”
The NCSC warned law firms that if they do not appropriately implement security protections when harboring highly sensitive client information, the entire industry could be endangered.
According to Adam Maskatiya, general manager at Kaspersky Lab, UK & Ireland, said protecting against cyberattacks is especially vital in the light of new GDPR laws.
“For any business holding EU citizen data, the GDPR’s [General Data Protection Regulation] requirement for a ‘secure by design’ approach to systems and processes is making cyber security a strategic necessity – something that must be built into all business operations that touch or deal with personal data,” Maskatiya said.
NCSC’s report was the collaborated effort of the GCHQ’s cyber arm as well as UK’s legal sector and law enforcement agencies. NCSC’s report aims to enhance the cyber maturity and resilience of law firms and establishing best practices on cybersecurity across the industries.