The rise of cyber attacks

No comments

Law firms are familiar with the risks that cyber attacks pose to their businesses and the reasons that lie behind those attacks.

As a profession we handle large amounts of client money and data which means that law firms represent an attractive target for threat actors. We also have 'credibility'. We are trusted advisers and so, when our email accounts are compromised, the recipients of fraudulent emails are more likely to be tricked into, for example, sending payments to bank accounts that have been created by the criminals to divert funds.

The Solicitors Regulation Authority and the Law Society have led attempts to educate the profession in relation to this key risk and have been supported by, among others, law firms' professional indemnity and cyber insurers.

The cost of successful attacks is high not simply in financial but also in reputational terms. In the years that followed the pandemic, the available statistics appeared to demonstrate that the work done by firms to minimise and protect against this risk may have been starting to pay dividends. Unfortunately, that trend has not continued and recent studies suggest that successful attacks on law firms have risen by as much as 77% in the past year.

What has led to this increase?

Global and geo-political unrest has contributed, as has an increasing reliance on outsourced IT services. Thankfully, we have not seen a repetition of a malicious incident on the scale of the 2017 NotPetya attack, but the recent problems involving CrowdStrike demonstrated how dependant we all are on technology and how a flaw in the system can have global consequences.

In addition, while threat actors continue to deploy already tried and tested methods to infiltrate law firms' systems, they are also finding new ways to impact our business.

We are continuing to see problems arising as a result of business email compromise (BEC) in which an email account is hacked and messages sent to provide new bank account details so that funds are diverted to the fraudster's account. Mailbox rules are often used to forward emails to the hackers and hide incoming replies from the genuine intended recipient of the email.

One variation of this problem that we have seen is hackers setting up very similar email domains that can easily be mistaken for the genuine domain, for example jsmith@gmail.com becomes jsnith@gmail.com.

We are concerned, however, about the apparent increase in these attacks and the heightened ability on the part of threat actors to circumvent the multi-factor identification measures that firms put in place as protection against these risks.

We have also seen an increase in ransomware attacks where firms are locked out of their systems and the incidence of malware.

Last year, for example, an attack on CTS, a managed services provider to law firms, impacted a significant number of legal practices, locking them out of their case management systems and preventing them from using telephone and email systems. This again emphasises the importance of rigorous scrutiny of law firm supply chains.

Firm hit in latest 'targeted cyber campaign'

Cybersecurity support bolstered as chambers suffers suspected attack

Cyber Security Toolkit (2nd edition)

What does the future hold?

Ransom-seeking hackers are becoming more aggressive and sophisticated, using social media to research their intended victims and using the information to threaten their families if ransoms are not paid.

We predict that advancements in AI will enable hackers to mount even more plausible phishing emails. They are also already using voice manipulation software to mimic speech based on sampling of a recording of genuine conversations. The speed at which this threat is developing means that we should all be focussing on this issue and monitoring developments and emerging risks to our businesses.

How can law firms guard against these risks?

Identifying the threat is the first step towards mitigating potential risks and there are a number of measures that law firms can adopt or build on to try to increase protection.

Central to all risk management is our people and comprehensive compulsory training and regular monitoring is key to this. Our people are our greatest asset but they can also be our greatest risk. If a problem arises, firms must try to demonstrate that they are genuinely operating a 'no blame culture' to avoid problems being buried. It is always important to act quickly in the event of any compromise and firms who respond to attacks efficiently achieve better outcomes, including from a reputational perspective.

Defend your systems so that frauds cannot start with your firm. Technical defences such as multi-factor identification, the blocking of suspicious emails and the application of update patches to software are all critical and achievable measures that all law firms can put in place.

In addition, firms could consider storing documents across locations rather than centrally and could explore the use of cloud based systems which some commentators regard as a more secure location in which to store sensitive information.

Lastly, if things do go wrong ensure that you have a well-developed business continuity plan that will support your response to the incident. Businesses that plan for what to do when an incident occurs recovered faster and spent less according to the ICO.

Clare Hughes-Williams and Justin Tivey are partners at international law firm DAC Beachcroft