On 8th January 2019 in Dublin, Ireland, it was reported that a law firm lost €97,000 in a cyber scam after the hackers intercepted an email between the solicitor and their bookkeeper and changed the bank details for a payment. It was shared with the newspapers by the Law Society, who wanted to warn other law firms about the risks and kept the firm’s name anonymous.
On 15th January 2019 in Kingaroy, Australia, it was reported that a law firm lost $148,554.11 of client money after a wire transfer to a fake account. It was shared with the newspapers by the angry client and the firm has since ceased trading.
These are just the first two published stories of 2019 – there will certainly be more, many which are never brought to public attention.
Why Is the Legal Industry at Risk?
Due to the nature of legal work, even sole practitioners can be processing five-figure or higher payments and sensitive personal data. Cyber-criminals want both of those things and will proactively target law firms to get them.
Whilst enterprise firms will offer a larger prize to successful criminals, smaller firms are often less protected. This is why smaller firms as well as large are being targeted, and business owners cannot assume that they are too small to be actively targeted.
In 2016, QBE reported that $120 million had been stolen from law firms by cybercriminals in the previous 18 months. With the overall global cost of cybercrime now rising to $600 billion per year it is unlikely that this figure will decrease any time soon.
On another note, whilst most law firms will not have breaches on the scale of the Panama Papers, a loss of trust when client information is stolen can be fatal to the future of small and large firms.
Money Laundering Watch: “Panama Papers” Law Firm Announces Its Closure Due to Fallout from Massive Data Breach
Cybersecurity is not something that should be left to the IT staff – it is a matter of business survival and Managing Partners need to take the lead in ensuring their firm is safe.
What Can I Really Do? Even IT Firms Get Hacked
The truth is that there is no 100% fool-proof way of preventing cybercrime. However, there are plenty of things you can do to reduce your chances of being a victim. It’s not so different from physical security – locks and an alarm cannot prevent your house from being robbed 100% of the time, but locks and an alarm are undoubtedly better than just locks, or nothing at all.
The following steps are not a comprehensive plan for IT security – every business has different IT system weak points and your plan should be tailored to your company by a professional.
However, there are practical steps that all business owners can and should be following today:
Don’t leave your cybersecurity to the IT people
Law firm owners are not IT specialists and hiring either an outsourced supplier or IT Manager, depending on the size of a business, is a good idea. However, a business owner’s responsibility does not stop there.
“When we first engage with law firm owners, many of them cannot answer basic questions about their IT set-up and what protections are in place,” said eXpd8’s Shane Branagan, who specialises in IT managed services for law firms. “They hire an IT specialist and then just pay the bills. This lack of oversight leaves firms dangerously vulnerable, and if the worst happens it is the firm and not the IT supplier who will bear ultimate responsibility.”
Law firm owners are not IT specialists, and they do not need to be – however, they do need to understand enough of the basics to have an overview of what is needed and to interrogate any suggestions made by an IT supplier or manager. IT security should be discussed at board and management team level.
The good news is that learning about basic cybersecurity has never been easier. Most country-level Law Societies will have resources to get you started, there are plenty of articles on the internet and many cybersecurity companies offer free webinars that will go into topics in more depth.
To get you started, here is eXpd8’s checklist of the basic protections every business should have:
- Data back-up
- Email spam filter
Watch Out for Passwords
Passwords are a tricky area, and there’s plenty of conflicting advice on best practice. However, whilst IT security experts are arguing over password managers and the optimum number of passwords per person, many law firm owners leave big holes in their security by not following some simple rules.
- Don’t use the same password(s) for your personal and work accounts. Breaches on e-commerce and other sites happen all the time – don’t let them affect your business.
- Don’t use a password someone can guess. Your children’s names, birthdays, the road you live/ have lived on? Hackers don’t need malware when you use such easy to guess information.
- Use two factor authentication on applications with sensitive data. Two factor authentication feels like an inconvenience but is highly effective. Shane Branagan from eXpd8 said that he found it was one of the first thing firms implemented after a data breach to increase security. Be ahead of the curve and implement now!
Keep Your Programmes Up To Date
Do you remember the WannaCry ransomware attack in May 2017 that affected more than 200,000 computers in 150 countries? This was an issue that had been identified, a solution found and an update released. The attack affected those who had not downloaded the relevant Windows update.
Cyber threats are ever evolving, and most ‘new features’ updates also include new protections against recently identified threats. Making sure that your applications are up to date helps the software providers to keep you safe.
Make Sure Your Employees Know What a Suspicious Email Looks Like
Cyber-security training for employees is recommended by all IT security professionals and all businesses should give their employees regular and comprehensive cyber-security training.
Yet in a sample survey, Eset found that only 17% of employees surveyed had received ‘a lot’ of cyber security training, and 33% had received none at all.
The advice of this article is to do as much cyber security training with your team as possible. However, if you have limited time and resources then the best place to start is training on email security. Email is one of the key intersections between people and technology and email scams are getting more sophisticated and more frequent.
Do your employees know the key signs of phishing? Have they heard of CEO fraud? Do they know what to do if they receive an email with a potentially suspicious link? Do they know how to identify a spoofed email address?
Unless you can answer a confident yes to all these questions you need to arrange some training. It doesn’t have to be expensive – there are plenty of free online courses, or training platforms you can sign up to for a reasonable fee.
I’m Following All of Your Tips – What Now?
As described before, the legal industry is a particular target of scammers due to the combination of sensitive personal data collection and their processing of large sums of money. This means that of course you need to invest to make your business as safe as possible – and consult with professionals on a comprehensive plan. You also need to be prepared for if the worst does happen.
If you have business within the EU, data breaches must be reported within 72 hours. If this happens, you want to be 100% focussed on resolving the data breach and minimising your exposure rather than splitting your attention between the data breach itself and learning about how to report it. Even if you operate outside of the EU, you will still need a plan to communicate with clients promptly whilst resolving the issue.
Larger organisations will need to do more complex preparations and involve IT providers and internal staff within the planning. All organisations, no matter the size, should at a minimum have read the reporting guidelines for their country, put together a template for themselves to fill in and assigned internal roles in case of a breach. The 72 hour reporting requirement includes weekends, so you should also think about what happens if the breach is noticed between Thursday and Sunday.
‘Cybersecurity war games’ but are a useful way of testing your plans and making sure that there aren’t any gaps that you’ve missed. For larger firms, hire a specialist to make sure tests are comprehensive and catch anything your internal staff have missed. For smaller firms, you can identify a scenario and run it to its conclusion without needing consultants or a big budget.
In conclusion, whilst the threats are significant and ever growing, there is plenty that law firms both large and small can do to protect against these threats and to prepare for if the worst does happen. Lawyers have a responsibility to protect their client data and funds to the best of their ability and this means taking a proactive approach to cybersecurity rather than just hoping for the best.