One thing you can always count on is that criminals keep getting smarter. Regardless of how sophisticated cybersecurity systems get, hackers and cybercriminals will find a way around them. All businesses, including law firms, must constantly monitor their cybersecurity measures to ensure they remain effective.
Do cyber attacks impact law firms?
Law firms are seen as prime targets for ransomware and blackmail attacks due to the highly sensitive client data they hold. Successful cyber security attacks against law firms rose by 77% in the past year to 954, up from 538 the year before, according to a new study reported in the Law Society Gazette.
In January 2024, research published by NetDocuments found human error and insider action were the primary cause of data breaches in the legal sector. David Hansen, VP, Compliance at NetDocuments told Infosecurity Magazine that law firms and legal institutions handle vast amounts of sensitive and confidential information, which puts them at increased risk of cyber attacks.
“But it’s not just external threats like ransomware that law firms need to watch out for, Mr Hansen went on to say. Law firms must be vigilant to insider data breaches – whether intentional or accidental. This requires robust cybersecurity measures to govern access to documents, without hampering staff productivity.”
How can a law firm prevent a data breach?
Law firms have a duty under the UK General Data Protection Regulations (GDPR) and the Data Protection Act 2018 to protect personal data. If a data breach occurs, you must firstly notify the Information Commissioner’s Office (ICO). To comply with Article 33 of the UK GDPR, this must occur within 72 hours of you becoming aware of the breach. During the initial stages of discovery and mitigation, informing data subjects of the breach may not be appropriate because you are unlikely to have all the facts to hand. When you do disclose to affected data subjects that a breach has occurred, as you are required to do under Article 34 of the UK GDPR, you must be able to provide some information regarding:
· The name of the Data Protection Officer (if you have one).
· What type of data was compromised by the breach.
· When the breach occurred.
· How you are dealing with the situation.
· What action the data subject should take (if any).
Article 34 stipulates that all the above must be communicated in clear and plain language. Vague statements and uncertainty will result in affected clients rapidly losing trust and patience with your law firm.
What are malware and ransomware attacks?
Malware is malicious software that can damage your IT systems by:
· Rendering a device unusable.
· Stealing or encrypting data.
· Using your device to attack other organisations.
· Getting passwords or encrypted data from your device and using it to commit fraud or other criminal activities.
· Mining cryptocurrency.
Ransomware is a specific type of malware that locks your computer or stops you from accessing stored data. The data contained in the system might be stolen, deleted or encrypted. Some ransomware will also try to spread to other machines on the network and damage communication systems. This occurred in the 2017 attack on the DLA Piper. For two days after the attack, all telephones and emails at the law firm, which has about 3,600 lawyers in 40 countries, were completely knocked out.
How can I protect my law firm from a malware or ransomware attack?
To protect your legal organisation, make sure you:
· Back up your data regularly. This is the key to recovering from any type of disaster. When a devastating earthquake struck Christchurch, NZ, in 2011, leaving Solicitors based in the central city unable to access their offices, law firms that had backed up their data and stored it in an offsite location were up and running within a day or two. Make sure the devices you use to back up your files are not permanently connected to your network, as attackers will target these to delay your recovery. And if an attack occurs, scan your backups for malware in case attackers have been infiltrating your network for some time and have replicated backup files.
· Set up robust filtering systems that only let in files you expect to receive. Block emails and access to known malicious websites.
· According to the National Cyber Security Centre (NCSC), “Ransomware is increasingly being deployed by attackers who have gained access remotely via exposed services such as Remote Desktop Protocol (RDP), or unpatched remote access devices.” To protect against this, RDP should be disabled if it is not needed, and if staff are using a VPN, ensure it meets NCSC recommendations
· Adopt a ‘defence in depth’ approach that assumes that malware will reach your devices and that you must stop it from running. Centrally manage your law firm’s devices so only trusted applications can operate on them. And ensure that all your staff and consultants receive regular cyber security and awareness training.
· Install updated security software immediately after it becomes available and enable automatic updates for OSs, applications, and firmware.
Finally, ensure your law firm has well-communicated policies and procedures, so everyone knows what to do if an attack occurs. Keep this incident plan updated to incorporate lessons learnt from past breaches, so a similar event cannot happen again.
“My message for companies that think they haven’t been attacked is: “You’re not looking hard enough””. - James Snook, former deputy director in the Office for Cyber Security, Government Cabinet Office, London - April 2016
Albion Legal provides a range of added value products and services, from bespoke employment disputes insurance cover to white-labelled HR software. To discuss any points in the above article or to find out how we can help your business, please phone 0113 2471 717 or email our team.