Law firms face increasing cyber attacks in 2016

law society of ireland

The start to Summer 2016 has seen a sizeable increase in recorded attacks on legal firms in Ireland, as reported by RTE news on 5th June 2016.  Over a dozen firms have recently suffered ransomware attacks.

Why is the legal sector a prime target?
The legal sector is a prime target for cyber criminals on one side due to the sensitivity and volume of private client data held on their computer systems and secondly, because of the large sums of money held by solicitors in their client accounts on a daily basis.

What are common ways for ransomware attacks to take place?
Computer systems can be compromised by ransomware attacks either through email or a web browser.   A user might open what to them looked like an innocuous email, which once opened immediately encrypts files across their entire network.  The message (which can be remarkably polite), then warns that immediate payment is required by a given deadline, or the files will be destroyed.  Victims will often see a timer ratchet as well, whereby any delays to settlement increase the sum demanded.  The warning is stark and often along the lines of:  “Any attempt to damage or remove this software will lead to the immediate destruction of the private key to your server.”

What kind of sums are involved in ransomware attacks?
Sums can range from a few hundred to many thousands of £pounds.  In this particular spate of attacks, the Irish legal firms had had ransom demands of between 5,000 – 30,000 Euros from the criminals to unlock their computers.

One solicitor wishing to stay anonymous commented: “The accounts system was in jeopardy, which we would be accountable for a closing balance of E4-5m every day to clients.  Trying to identify 2,500 clients whose money was actually in the account to the very cent was never going to be achievable going forwards”.

The general advice is for all organisations would be:

•      To regularly review your data security policies and procedures (and ensure they are up to date and fit for purpose reflecting the current threat landscape).
•      To regularly back up your data to mitigate any losses
•      To act expediently and deal with the issue
•      To deploy up to date antivirus software
•      Have effective web filtering
•      To utilise up to date firewalls
•      To educate staff to heighten everyone’s awareness about cyber security – what different attacks look like – and importantly what their process and actions should be should they receive something they believe to be a cyber threat.

This news comes on the heels of the annual risk management survey by Legal Business and Marsh which found that “IT security breach / data management accident or breach” was the highest risk to law firms in terms of damage it could cause and the likelihood of it occurring.

For regulated industries especially, the demand for effective and contemporary security systems and knowledgeable management teams will serve as a significant reassurance to their customers.  Amicus ITS provides specific Security as a Services offerings to protect against cyber attack. These include ‘Foxcatcher’ and ‘Amicus Viper’.  Anyone wishing to discuss any cyber security issues in confidence can ring the security team on 02380 429429.

‘Panama Papers’ – a wake up call for the legal sector

April’s data breach legal, trust and accounting firm victim Mossack Fonseca of Panama, offers a perfect storm warning for law firms.  As reported in last week’s blog (see link), the legal sector is a highly attractive and potentially susceptible target for the armies of cyber attackers due to the sensitive data held by law firms about their clients.

All law firms should take the Panama breach as a major wake-up call,” says founder and executive chairman of IT Governance, Alan Calder. “Law firms have notoriously been targets for cyber criminals because of the sensitive information they possess. More recently, the scale and devastation that cyber breaches cause means that law firms need to consider their cyber security posture right now.”

The swift changes in cyber attack and swopping focus on market sectors makes trying to defend your crown jewels (ie. your data) ever more critical.  Law firms were ranked the seventh highest target for cyber criminals in CISCO’s 2015 Annual Security Report and in midsummer 2015, CISCO’s 2016 Annual Security Report noted that Professional firms were one of four sectors (Government, Electronics, Professional and Healthcare), most hit by Trojan related attacks, while the Professional Services vertical was hit with a high number of iFrame attacks.  Add to this, the UK’s Information Commissioner’s Office (ICO) investigated 173 law firms two years ago over data protection breaches.  It is not a comforting picture.  But there are good things that can be done by taking a proactive stance on security.

The ICO acknowledges ‘There is no “one size fits all” solution to information security, as the security measures that are appropriate for a particular organisation will be different to another. However, given the pressures facing the legal sector, companies would be well advised to adopt a risk based approach to deciding what level of security is required and where – and to ask pertinent security questions from the third party contractors and suppliers they use.

ISO 27001 Information Security Management System (ISMS) provides a risk based approach to data security.  When rolled out through the organisation it can push down through the supply chain to raise standards with third party contractors and suppliers.  Whilst no organisation can be guaranteed to remain 100% free from threat 24×7, a law firm which creates a robust and regularly monitored cyber security posture, will be better prepared to fend off, or respond quickly and effectively through tested policy to a breach.   What this means for the firm’s customers and stakeholders are higher levels of assurance, as well as enabling you to meet growing legal and regulatory data protection obligations.

As with all things technological these days, it’s not just about knowing what’s in your estate to protect, it’s about strategically identifying for the business what you might need to consider adding to your infrastructure, to build peace of mind for your Board and customers.  That journey will ultimately be better travelled with an expert MSP which has ISO 27001, a passion for data security, a keen eye on cyber security – and one which can not only advise but is able to deliver 24×7.

ISOIEC 27001 with UKAS

Law firms provide new lucrative data target for cyber criminals

The Wall Street Journal in the US has reported a significant rise in cyber threats being dealt with in the legal sector.  The allure of law firms to criminals is especially attractive given the highly sensitive nature of the data held by them.

But are we just talking about some underworld cyber guys ransoming data?  Apparently not – some of the recent targets have also included the suspicion of attempts at insider trading deals (now allegedly the subject of investigations by the FBI).

Phishing attempts in law firms continue to feature highly in the latest reports.  Stephen Tester, partner at London law firm CMS which brokers cyber insurance commented to the BBC: “We’ve seen examples of emails [at client law firms] that purport to come from a managing partner to a more junior lawyer directing them to make payments to an account or to send certain information to an address… they can look very much like a regular message.”

However, it’s the accounts of alarmingly insidious new ways that cyber criminals are trying to access systems that should put everybody on their guard.  Would you have considered your video-conferencing systems or telephony to be vulnerable?  Well apparently so. “There are ways in which people can go into video-based conferencing facilities and literally listen in on meetings” Mr Tester said.  Telephone systems these days are delivered via VoIP, in essence translating analogue to digital then back to analogue. Not many organisations even consider this to be another attack surface.”

The rise and variety of attack reflects both the cunning and sheer determination of attackers looking for any infrastructure loopholes and sometimes striking gold through wifi settings and unsecured networks.  Ally that to unsuspecting staff (93% of data protection breaches reported to be caused by human error”) source ICO report 2015 and you have a Tsunami of potential threat on the horizon with today’s cyber vultures circling.

Questions for you
•         Can you afford to sit back and either your organisation is not a target?
•         Can your company afford to lose trust?
•         Can your company afford to pay the financial penalties if you are found to have mishandled EU resident’s data – this could be a fine of up to Euro 20 milllion or 4% of global turnover (EU GDPR).

You have a duty to your employees, customers and shareholders to know that you are can protect the data you are holding.

So what can firms do to avoid having cyber criminals musing over yours or your client’s data for their financial gain?  Well certainly an audit with cyber security experts is a good start.  Reviewing data security policies is a natural follow on – and identifying and keeping up to date what your plan is in the event of a cyber breach.  Finally, with phishing, this is an opportunity for companies to raise everyone up by prioritising education around data security and cyber threats amongst staff.   Better to pick over your own bones that have it done to you!


Warning from Information Commissioner – data security too lax in legal profession

With law firms the seventh most targeted business group according to the Cisco 2015 Annual Security Report, it is probably little surprise that the Information Commissioner, Christopher Graham, has warned the profession to improve its information security practices after 15 reported data breach incidents involving members of the industry in three months.

Christopher Graham commented: “The number of breaches reported by barristers and solicitors may not seem that high, but given the sensitive information they handle, and the fact that it is often held in paper files rather than secured by any sort of encryption, that number is troubling. It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach.”

The Law Society Gazette announced that the ICO investigated 173 UK law firms in 2014 for a variety of incidents that may have breached the Data Protection Act 1998 (DPA).

Solicitors and barristers hold a veritable treasure chest of data including: confidential business data, proprietary information and intellectual property, litigation strategy information, personally identifiable information, and other legally sensitive information.

The impact for the legal profession is serious.  The penalties for a law firm quite profound.  If found guilty of breaching the DPA, law firms can face fines of up to £500,000 from the ICO, as well as a damaging loss of credibility.

Graham warns about data security Principle 7 of the DPA, which states that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. 

The ICO says he is mindful that there is “no one size fits all” solution, so “…[legal firms] should adopt a risk-based approach to deciding what level of security you need”, in order to mitigate the risk.

The efficacy of ISO 27001 and best-practice cyber security IS that necessary safeguard.  ISO27001 as an ISMS, wraps people, processes and technology with an enterprise-wide approach to protecting information – in whatever form it is held – based on the specific threats the organisation actually faces.  This acts as the counterpoint to inadvertent threats posed by untrained staff, inadequate procedures and out-of-date software solutions.

Responsible companies should certainly take heed of his advice and do more to protect their client data.   This may be in the form of gaining the certification directly, or alternatively, outsourcing to a reputable established IT Managed Service Provider which holds this this essential accreditation to properly consult and set about the necessary measures to formally protect clientele, finances and reputation.  What price reputation?


Legal sector encryption failure gifts large payout to cyber criminals

A recent account published in the Telegraph newspaper, reported the alarming story of a London couple who inadvertently became the victims of a cruel cyber attack.  Completion funds on the sale of their property were intercepted by cyber criminals and the couple lost all proceeds, totalling £333,000.

The law firm handling the conveyancing, Perry Hay & Co in Surrey, had emailed owner Paul Lupton, requesting his bank account details for the proceeds of sale to be paid into upon completion.  Mr Lupton duly replied, giving both account and sort code.  The fraudsters, using ‘xray’ technology which identifies data patterns with financial information, intercepted this email and replied to the law firm, requesting the previous email be ignored and funds be transferred to a different account, theirs.

On discovery that the monies had not transferred, the owner alerted the bank (Barclays) and the police.   The account was frozen and £271,000 was returned.

With conveyancing a lucrative target for cyber criminals, law firms have to take responsibility for their clients money and use encrypted emails, requiring passwords, for confidential or financially sensitive information.

For email users, account numbers, sort codes, passwords and Pins should never be transmitted by email or be written down.  Online passwords should be strong (involving numbers and characters) and changed regularly.  Devices should also be protected with security software including regularly update installations to help defend accounts.

This is little comfort for the Luptons who are currently still out of pocket to the tune of £62,000 after Perry Hay & Co (and Barclays) rejected responsibility, despite legal watchdog, the Solicitors Regulation Authority (SRA) asserting that member firms were responsible for safeguarding client funds and must replace any monies “improperly withheld or withdrawn from a client account”.