While cyber attacks can hit anywhere, certain industries get more than their fair share of the fire: healthcare, banking, federal agencies, and now more than ever, law firms. So much so that the Solicitors Regulation Authority (SRA) has issued official warnings about cyber threats.
Here’s why, and what you can do about it.
What They’re After
Law firms, potentially, have access to everything cyber criminals may seek:
- Inside advantage—Merger lawyers may have access to insider information, giving criminals an advantage that can make millions.
- Sensitive information—Law offices that deal with businesses sometimes gain access to trade secrets, financial information, or other sensitive information that cyber criminals can use for personal gain.
- Personal information—Beyond just financial details, law offices sometimes have social security information and other data that can be sold on the cyber black market, or manipulated for criminal gain. Real estate law firms and firms connected to the financial sector most frequently see this sort of attack.
- Money—Some attacks are just direct requests to steal money.
- Any old data—You might be surprised what kind of information can make money on the cyber black market, and some threat actors are not discriminatory in that way—they will take whatever they can get their hands on. Law firms have all kinds of data that might be useful to that kind of criminal activity.
How They Go About It
The cyber security threats targeting law firms constantly evolve, and are much more convincing than you might think. Here are some of the common types of cyber threats aimed at law firms.
- Ransomware—Cyber criminals hijack your data for a fee. “Pay the fine to get your files back,” they say, assuming your data is worth more to you than it is to them. They don’t always hold up their end of the bargain, though, and you pay but do not necessarily get your files back.
- Phishing scams—The delivery method for many of these types of attacks. A fake email lures you into downloading ransomware, giving out personal identity information, or handing over credentials.
- Identity theft—Criminals steal information from a law firm, only to use it to fake an identity to get access to other information. You might never know that an identity was stolen.
- Email fraud—If cyber criminals hijack your email they can use it to commit a crime, like so-called “Friday afternoon fraud.”
What You can Do About It
Of course, the first thing every cyber security professional will tell you is to get educated—train yourself and your staff to look for potential security threats, data leaks, and inconsistencies. Preserving the security of information and client trust are always critical in the legal field, and so this is just a new angle.
You can also then warn customers. Standard warnings include stating that you will not change banking information mid-transaction and that you will follow-up requests for funds with a phone call.
Next, make suspicion your default mode. Emails are like postcards—anyone could read them. Encrypt data, suspect data, follow-up with even usual data. Access to cloud storage or email files could mean your firm has been hacked, and you wouldn’t even necessarily know it.
Then, get insured. Ensure that your professional indemnity insurance covers cyber crime, including electronic transfer. Find out exactly what is not covered and train your team accordingly.
Finally, be sure you have a cyber security action plan, including threat mitigation and brand reputation management in the event of an attack. Often, preparation is the best insurance.
For industry-specific insight, contact us for a threat analysis. We will help you get secure and prepared.