According to Hiscox, on cyber readiness, barely a week goes by without news of a major cyber incident being reported, and the stakes have never been higher. Data theft has become commonplace; the scale of ransom demands has risen steadily; and cumulatively the environment in which businesses must operate is increasingly hostile. The cyber threat has become the unavoidable cost of doing business today.
Three cyber security threats facing Law Firms:
1. Email hijacking
Criminals hacking into a firm’s email server to intercept and send false emails to clients, usually to change bank details, is the biggest threat to law firms. It makes up 80% of cyber crimes reported to the Solicitors’ Regulation Authority (SRA) in the second quarter of 2018. Nearly £11 million of client money was stolen through cyber fraud in 2017. Although that figure fell in 2018, as the SRA suspects firms don’t report all cyber thefts, it remains a significant issue.
This was our biggest source of claims in 2018 (37%), and the implications go further than stolen money. Under GDPR, these incidents must now be reported to the regulator, as criminals may also have accessed data in the email account, which is likely to include personal identifiable information.
Phishing attacks, where staff are tricked into giving away confidential information, have reached epidemic proportions. Around 80% of law firms have had at least one phishing attack in the past 12 months, according to a Law Society online poll. Once they have your username or password, cyber criminals can hack into your firm’s computer system and steal information or money.
Harmful software can encrypt files, steal data, spy on your activity, and even hijack your server’s processing power. Ransomware, which effectively ‘kidnaps’ your files in return for a ransom payment, is the main malware threat, making up 16% of our cyber claims in the UK in 2018.
Even if you pay a ransom and get a decryption key, your data may be permanently unrecoverable, or your files may not work properly after decryption, because of glitches in the ransomware code. Secondary viruses downloaded along with the ransomware may also lurk on your system, providing criminals with a ‘back door’ to attack your system again in future.
How to protect your business
You can reduce the likelihood of cyber attacks by taking simple measures, such as making sure your software, including your anti-virus program, is up to date. Many organisations affected by the 2017 WannaCry attack could have avoided it if they’d upgraded their systems quicker.
You should also regularly back up your files. This should be preferably somewhere off your network, such as an exterior hard drive or cloud server. This way, if you are attacked, your data can be restored.
However, human error is the biggest danger. Over two-thirds (67%) of all cyber-related insurance claims we received in the 18 months to September 2017 were directly caused by an employee’s mistake, such as:
- clicking on malicious emails
- visiting harmful websites
- losing devices
That’s why it’s so important to train your staff on information security, for example:
- taking care when taking work home
- having strong, unique passwords
- knowing the risks in using their own device to log into the work computer network
The threat to a law firm of having confidential information either stolen or lost could be devastating. Yet only 21% of law firms have cyber insurance, according to a 2018 Law Society poll. Although your professional indemnity policy protects you if client funds are stolen through fraud, there are plenty of costs to your business from a cyber attack that it doesn’t cover. Also, how long could your firm operate without access to its computer system? It could have a big impact on your revenue.
Compensation for Data Breach
The threats of real and obvious. It is for law firms to be insured. According to Hiscox, your firm is 9 times more likely to be a victim of cyber crime than burglary.
Failure to protect is likely to result in compensation claims for data breach. It is worth checking your security systems now.