The Rising Threat of Cyber Attacks on the UK Legal Sector

In a recent report, the National Cyber Security Centre (NCSC) highlighted the alarming vulnerability of the UK legal sector to cyber attacks. This blog post delves into the key findings of the report, shedding light on the reasons behind the sector’s attractiveness to cyber criminals and exploring potential solutions to mitigate the growing risks.

 

Is the legal sector truly a “significant” target?

Legal professionals are acutely aware of client confidentiality, and potential financial and client consequences if sensitive information falls into the wrong hands. The Legal Services Act of 2007, emphasizes the importance of preserving the confidentiality of information. In cybersecurity terms, this means preventing unauthorized access and data breaches.

The NCSC report reveals a staggering statistic: 75% of solicitor firms surveyed by the Solicitors Regulation Authority (SRA) in 2020 had experienced a cyber attack. A similar figure was reported among the Top 100 UK Law Firms, which allocated an average of 0.4% of fee income to cybersecurity in 2022, according to PWC. These numbers remain consistent regardless of the size of the firm, demonstrating the universal vulnerability of the legal sector.

 

Exploring the high numbers

Why is the legal sector targeted? The NCSC report identifies several factors that make legal practices enticing for cyber attackers. Firstly, they handle highly sensitive client information that can be valuable to criminal organizations. Moreover, legal practices frequently handle substantial funds where transactions are often time-sensitive. Any disruption in services could have severe consequences. Additionally, the hourly rate billing structure of legal practices means that any downtime has both operational and financial impact.

However, the primary reason for the legal sector’s susceptibility to cyber attacks is that the importance of a firm’s reputation makes them a target for extortion.

Research consistently demonstrates that robust client data protection leads to stronger customer loyalty. Large firms can demonstrate this through certifications such as ISO27001, while smaller firms can adopt certifications like Cyber Essentials to establish their dedication to safeguarding client information.

 

Emerging factors pushing cybersecurity to the forefront

Lindy Cameron, CEO of the NCSC, suggests that changing work patterns, accelerated by the COVID-19 pandemic, together with the increasing sophistication of cyber attacks have made legal firms vulnerable in new ways.

The legal sector has witnessed widespread adoption of hybrid working, with professionals dividing their time between working from home and the office. This shift has not only boosted productivity and employee satisfaction but is now firmly entrenched in the industry.

Hybrid workers connect to the corporate network using home routers, which poses a significant risk. Connecting from an insecure environment to a highly secure one increases the chances of data breaches and may allow cyber attackers to gain access to the corporate network.

Additionally, partners are increasingly accessing confidential client information outside of the office in ways that rely on external networks, such as hotels, or airports.

The NCSC report identifies an interesting trend: the primary threat to UK legal firms comes not from traditional financially motivated cybercriminals but increasingly from state actors, particularly China, aiming to steal intellectual property.

 

Finding solutions: Safeguarding hybrid working environments

Given that the rise in the risk of data loss is closely attributable to the increase in remote working, addressing this challenge is vital. The NCSC offers guidance on protecting hybrid workers, including recommendations on setting up user accounts, educating users about the importance of VPNs, ensuring regular device software updates, and implementing measures to secure removable media.

Device security, such as antivirus software and firewalls, is crucial in mitigating incoming threats.

However, if data breach prevention is the goal, this requires a deeper focus on monitoring traffic destinations and the means by which data is transmitted. This becomes particularly important when firms outsource services to the cloud, necessitating assurance regarding the data’s route to the provider.

 

In conclusion

The NCSC report has shed light on the urgent need for the legal sector to fortify its cybersecurity defences. As hybrid working becomes the new normal, legal firms must proactively address the growing risks associated with remote access to sensitive data. The importance of robust data security cannot be overstated in an industry where reputation and client trust are paramount.