In today’s progressively digital age, law firms are being targeted by more frequent cyber attacks. These cyber attacks exploit vulnerabilities found in the IT systems of the law firms in order to gain access to client data, intellectual property and financial information. These vicious attacks create damaging effects to both the law firms and their clients. From the recent Solicitors Regulation Authority (SRA) statistics, 75 percent of the law firms visited reported that they had been victims of cyber attacks and 25 percent of the law firms are not encrypting their laptops.
One of the most common types of cyber attacks that law firms are facing is ransomware, a malicious software that encrypts a client’s file, making them inaccessible. The hijacker then demands a ransom payment in exchange for the decryption key. If the ransom is not met, the hijacker then may threaten to leak the sensitive information found in the client’s files or delete them entirely. Ransomware is the main malware threat faced in the UK making up 16 per cent of the cyber claims in 2018. Law firms are most vulnerable to these types of attacks due to the vast amounts of confidential information they hold, and many firms do not have the equipment to secure a robust cybersecurity system.
Recently, DLA Piper LLP, one of the biggest law firms in the world, was hit by a ransomware attack in which the hijacker demanded $300 billion in bitcoin so that they could regain access to the thousands of computers they had encrypted with the threat of deletion of all files if they did not comply. As a result of this attack, insurance brokers have estimated that the potential cost of damages DLA Piper LLP could face 'is in the millions'.
Another common type of cyber attack law firms are rather susceptible to is phishing. Phishing is a social engineering technique that attempts to obtain sensitive information or gain access to a client’s funds via email. This is one of the most common cyber attack techniques that hackers use as they can send emails that seem to be from a legitimate source and trick the recipient into clicking or downloading an attachment that contains malware. Out of the UK businesses that highlighted they had been victims of cyber attacks, 83 per cent said that they were targeted by phishing attempts. In addition, there is a major internal threat from phishing as unsuspecting and untrained staff are more likely to click on a phishing email with 41 per cent of law firms suffering an internal security incident from their staff.
In addition to ransomware and phishing, there are other ways hackers target website vulnerabilities. Symantec reported that there were over a million web attacks every day in 2015. Hackers continue to take advantage of these vulnerabilities in order to infect its users as website administrators have not secured the websites with nearly 75 per cent of legitimate websites having not fixed these vulnerabilities. Moreover, zero-day attacks are increasingly more threatening to firms as they exploit computer-software vulnerabilities that are unknown to the vendors of the target software. As a result, the hackers are able to exploit these vulnerabilities before they become identified and solved. In 2021, these zero-day attacks have grown more than 100 percent compared to 2019 with the most frequent exploits attacking Microsoft, Apple and Google.
In order to combat these increasingly dangerous threats, law firms need to adopt a proactive approach to their cybersecurity. This can be achieved through executing robust security measures such as firewalls, intrusion detection and antivirus software. Furthermore, law firms should provide regular training for their employees on how they can identify and respond to potential threats – such as educating them on how to recognise phishing emails as well as ensuring they use strong passwords that they do not share. The SRA identified that 20 per cent of the firms they visited never provided their employees with specific cyber training and 50 per cent provided training yet did not have any recorded data or evidence of the training.
The impact of these malicious cyber attacks on law firms can be long-lasting and extensive as they may entail legal liability for the incident, leading to the loss of client trust and causing reputational damage. If a client feels that their data is not secure, they may take their business elsewhere which, in turn, can have a damaging effect on the firm. As a result, these cyber attacks can also lead to severe financial losses, including remediation, a loss of billable hours and potential fines or legal settlements.
It can therefore be demonstrated that cyber attacks on law firms are a growing threat that can have severe consequences for both law firms and their clients. Through the implementation of a more robust cybersecurity system and providing essential training to their employees, law firms can successfully reduce the risk of a serious attack.