NCSC Warn Law Firms of Increasing Cyber Threat
Due to the widespread transition to hybrid and remote working, and the major financial transactions that law firms manage, The NCSC (National Cyber Security Centre) has recently issued a cyber security warning to law practices of all sizes.
Both factors make the law sector particularly attractive targets for malicious actors. Many also handle sensitive information, making them even more vulnerable targets. This can include information relating to ongoing criminal cases, or mergers and acquisitions. Legal professionals who now work remotely, a trend exacerbated by the Covid-19 pandemic, can be especially targeted by cyber threats hoping for a vulnerability in their security set up when working outside of the office.
A common phishing tactic involves attackers monitoring LinkedIn to find new users to an organisation and sending a scam email to the HR department. They are then requested to change the payroll account details for a new joiner to fake accounts, to steal salary payments.
A BEC (Business Email Compromise) attack is another form of phishing which involves tricking a senior executive into transferring funds or revealing sensitive information. Law firms often transfer huge amounts of funds and are generally seen as trustworthy and authoritative, two qualities that attackers can make use of when devising a phishing attack.
Many law firms are attracting additional attention from potential attackers due to their connections with the supply chains of adversarial nations. Malicious actors from countries, including Russia, Iran, China, and North Korea are known to employ malware techniques to extract money and disrupt business operations, both in terms of billable hours lost due to outages and costs to clients that depend upon them. Nation states also use cyber-attacks to further their own agenda.
Attackers know that reputation is an especially critical element of the business of law. So called “hackers for hire” are becoming increasingly prevalent as they launch cyber activities for third party clients to earn money through commissions. Often, these attacks use off the shelf services that require little technological knowledge. This sensitive data, such as intellectual property, is often used to gain an advantage in legal disputes or business deals.
Many firms (especially smaller) outsource the task of managing their IT systems and data to specialised IT and data support services. This can expose law firms to a successful and costly third party supply chain attack and data breach.
The NCSC has also seen growth in ‘hacktivists’ (hackers motivated by a specific cause) targeting law firms which represent organisations that they oppose on political, economic, or ideological grounds. Some examples of this are the energy sector and life sciences.
Insider threats also remain a significant concern, as many members of staff will have levels of access that are potentially of use to criminal groups and can easily share it if they possess a grievance. Untrained staff can also be considered an insider threat, or non-user-friendly processes which frustrate staff and encourage them to cut corners. This is why managing the security of all staff is very important for any legal firm.
IMPROVING YOUR CYBER SECURITY
Law firms of all sizes should take steps to strengthen their cyber security and resilience to attack.
There are some simple questions you can ask yourself when thinking about your cyber security:
Do you know:
· What data you have?
· Where it is stored?
· How it is used?
· Who has access to it?
CYBER SECURITY RISK MANAGEMENT ADVICE
Understand Your Organisations Risks
· Risk management - Take a risk-based approach to securing your data and systems.
· Vulnerability management - Keep your systems protected throughout their lifecycle.
· Identity and access management - Control who and what can access your systems and data.
· Supply chain security - Collaborate with your suppliers and partners
Implement Appropriate Mitigation
· Asset management - Know what data and systems you have and what business need they support.
· Architecture and configuration - Design, build, maintain and manage systems securely.
· Data security - Protect data where it is vulnerable.
· Logging and monitoring - Design your systems to be able to detect and investigate incidents.
Prepare for Cyber Incidents
· Engagement and training - Collaboratively build security that works for people in your organisation and test their awareness and reaction to attack.
· Verify by a third party that the technology, systems and information in your organisation are protected appropriately against the majority of cyber attacks, to enable your organisation to best deliver its business objectives.
PureCyber – Cyber Experts for the Legal Sector
PureCyber are the Cyber Essentials delivery partner for The Law Society in Wales and are currently supporting over 100 law firms to become CE and CE Plus Certified through a Welsh Government funded scheme.
The expert team at PureCyber also act as the outsourced Cyber Security team for many law firms across the UK through their Cyber Security Subscription services.
PureCyber are your complete cyber security solution.
To find out more contact us or see https://purecyber.com/law