Cyber Criminals vs UK Law Firms – the Battle Continues

Since the dawn of the digital age, the nature of crime has changed. Cyber-crime might not immediately seem as scary as a break in at home or work, but it is by no means any less sinister and its consequences can be even more far reaching; the new payload is information.

Cyber-criminals are staging dramatic new heists every day. In the UK, law firms are among the top targets for these elaborate cyber-crime schemes because the information these organisations keep is extremely valuable; the cyber-criminal’s golden goose.  While the data that law firms hold is generally first prize, law firms are also regular targets for traditional cyber-robbery due to the cash they often hold in their client accounts so it’s more important than ever before for UK firms to be vigilant.

A 2019 article on cited that “25% of all law firms practising in the United States alone have experienced at least one data breach”. And the UK’s National Cyber Security Centre stated in 2018 that £11 million of client money was stolen from UK law firms due to cyber-crime in 2017-2018.

The most common threats:

Ransomware: This denies users access to a company network or information until a ransom is paid. Alternatively, the proprietors of the malicious software threaten to publish sensitive information unless they are adequately compensated. This is potentially damaging to law firms for obvious reasons.  In 2017, one of the world’s largest and most damaging ransomware attacks hit several global companies including among many others, law firm DLA Piper. The software, dubbed “NotPetya”, originated in Russia and traveled around the world, encrypting company files and demanding large sums in Bitcoin before they were prepared to decrypt them. Even though DLA Piper identified the attack early on in the UK, it could not be prevented from spreading. This was because of DLA Piper’s “flat network structure” throughout all of its global branches. The attack cost DLA a fortune in overtime and lost revenue, and they are still trying to recoup some of the funds in a legal battle with their insurer Hiscox. They have also (at great expense) revised their network structure.

Phishing: Phishing is a common “cyber-con” that tricks users into giving away sensitive information – things like passwords, banking details, crucial identity-related information – or money. Phishing attacks can also be used to spread malware.  DLA Piper were also among many of the top law firms that were hit recently, when several UK firms became the victims of cyber-criminals who posed as their representatives and sent emails to clients. Ortus Group have been told that one of the larger law firm ‘mergers’ in the last decade was because of £2m being duped from a client account and the insurers refusing to pay out because there was no adequate cyber policy.  The emails coaxed recipients into paying funds across to fraudulent accounts. Scammers set up email addresses that appeared to legitimately belong to the firms to make the scam more convincing.

Compromised emails/email fraud: This method is a spin-off or scarier “sequel” to phishing email attacks. In these cases, cyber-criminals intercept emails between law firms and their clients, changing bank details so that the client unknowingly pays the criminal and not the firm.  Alternatively, in a similar technique to the phishing example above, criminals will “spoof” a senior staff member’s email address and send emails to less senior staff members demanding that payment be made to a third party.

What are the consequences of a cyber-attack on a law firm?
When data is breached, the consequences are far-reaching. Leaked confidential client information can adversely affect the outcome of legal disputes. It can also put clients at risk of cyber-attack themselves. Besides the financial damage data breaches can cause, the harm done to a firm’s reputation as a result of compromised client data can be irreparable. And if client data is compromised severely enough, the law firm becomes vulnerable to General Data Protection Regulation (GDPR) violations and lawsuits. Loss of income, public relations disasters, loss of clients and loss of information are all part of the domino effect that cyber-crime can set off.

Who else has been hit?
As a result of their email system being hacked, Anthony Gold Solicitors in London had fraudulent emails sent to approximately 16 000 email addresses on their server, according to an article on Other UK Top 100 firms that have been hit include Clifford Chance, Berwin Leighton Paisner, Nabarro, Dechert, Bird & Bird, Hill Dickinson, Kingsley Napley and Browne Jacobson. Besides that, hundreds of smaller firms all over the UK are being targeted daily. One rescue mandate Ortus Group received recently follows a £700,000 phishing attack on the client account of a sub £1m turnover firm whose future existence is now in jeopardy.  The Solicitors’ Regulation Authority (SRA) has issued many public warnings that UK law firms are being increasingly targeted in cyber-attacks. And all law firms are advised to be mindful of the risks.

Mitigate your risk
Even though law firms tend to revolve around policy and procedure, so many of them don’t have adequate cyber-security policies in place. Begin by consulting cyber-security experts. There are several leading companies in the UK who can assist in getting your firm up-to-scratch with your data protection measures, email security and encryption, cloud and web security and endpoint protection. You can also decrease your risk by fostering a culture of cyber-awareness within your firm, by having the IT team educate staff about risks and preventative measures at regular intervals. Your last, very important stop is cyber insurance. Cyber insurance covers against damages caused by cyber issues including human error, cyber-crime, GDPR violations, loss of income and other risks.

Stay informed
Ortus Group are experts in executive search, mergers and acquisitions, connecting our clients with the best in the Law, Accountancy, and Wealth Management markets. Our team of experts has a wealth of experience that can help guide your firm in the right direction if you’re looking to sell, buy or simply considering change of any kind. We conduct informed searches of the entire market to ensure value for you, your team and your clients. We do the legwork, and produce high quality results that saves you lost billable hours and fees.

Subscribe today for more informative articles like this one, to help protect your company against cyber-risks and more.

Cybersecurity: Law Firm Data Breach come in Different Forms
UK Law Firms Remain In Cyber Criminals’ Cross-hairs
Cyber security advice issued to law firms in first legal threat report
Cyfor cyber-attack blog
Notpetya ransomware article
DLA dispute
Anthony Gold attack