Critical cyber threats law firms should be aware of in 2024

Critical cyber threats law firms should be aware of in 2024

With legal practices increasingly reliant on digital technologies, the guardianship of sensitive client information and financial assets has taken centre stage. A backdrop of rising cybercrime, notably propelled by Russian-backed groups amid the ongoing conflict in Ukraine, means the legal sector’s vulnerability to evolving cyber threats is now critical.

In 2023, a new report from the National Cyber Security Centre (NCSC) sounded a warning bell, highlighting that the legal sector was particularly vulnerable to cyber-attacks. This threat became a stark reality in November last year when managed service provider CTS fell victim to a cyber incident that potentially affected hundreds of UK law firms. As we move through the new year, the challenges continue to mount, from increasingly sophisticated ransomware attacks to the persistent danger of phishing.

Here are just some of the critical cybersecurity risks facing legal businesses in 2024.

Ransomware

Ransomware continues to be a significant threat, with cybercriminals increasingly using sophisticated methods to hack and encrypt sensitive data and demand payment for its release. In 2022, Tuckers Solicitors was fined almost £100,000 after a ransomware attack led to organised criminals publishing sensitive court bundles on the dark web.

Despite general advice to not pay the ransom, many companies choose to do so. But be warned, there is no guarantee that criminals will hold up their end of the deal if you do. After being paid – many hackers choose to go ahead and leak the stolen data regardless.

Phishing

Phishing remains a common attack method. From deceptive emails to QR code-based attacks, hackers are relentless. In 2024, criminals are targeting firms of all sizes, and “for smaller firms that have little or no dedicated cyber security and IT support, the risk of incidents like ransomware attacks is on the increase.”

Last year, Snowball & Jackson (SSJ), a small firm in County Durham, was publicly rebuked by the Information Commissioner’s Office (ICO) after criminals accessed an employee’s email account through a phishing attack and accessed probate funds.

Multi Factor Faking

While multi-factor authentication (MFA) – also referred to as two-factor authentication (2FA) – is a robust security measure, cybercriminals are finding ways to circumvent it, especially where older, weaker forms of MFA are in place. Spoofing MFA pages is one tactic that is on the rise, with cybercriminals tricking individuals into entering a MFA code that will grant them access to an organisation’s genuine systems.

Artificial Intelligence (AI)

AI can be both a defensive tool and a threat when it comes to cybersecurity. For example, AI can generate compelling and personalised phishing emails, gathering data from various online sources to create comms tailored to specific individuals within a law firm, making them more likely to fall victim to the attack.

Savvy hackers can also use AI to craft malicious code that enables them to deceive security systems. And AI can create sophisticated malware that evolves and adapts its tactics to ensure the best chance of infiltration. Law firms must fortify their defences against evolving AI-powered threats.

Deep fakes

Deepfake technology, powered by AI, is being used to create shockingly convincing audio and video recordings. Anyone who watched the latest Harlan Coben drama on Netflix will have seen how realistic these fakes can be – even going so far as to convince a widow that her husband was still alive! Today, criminals could potentially use such deep-faked recordings to manipulate employees into disclosing sensitive information or authorising fraudulent transactions.

Supply Chain Attacks

The number of companies that have suffered a data breach because of a third party is growing. And, as networks become larger and more complex, and more and more data is shared between organisations, the level of risk will continue to increase unless effective data governance occurs.

Insider Threats

Malicious or unintentional actions by employees can pose a risk to sensitive data. Indeed, a recent study found that 60% of data breaches in the UK legal sector resulted from insider actions. Law firms must implement robust access controls and monitoring systems to detect and prevent insider threats.

Reducing the cyber risk

Protecting against attacks is crucial for law firms to safeguard sensitive client information and maintain operational integrity. Here are several proactive measures law firms can take to enhance their defences in 2024:

  • Prioritise employee training. On-going cybersecurity training is essential to educate employees about the risks associated with cybercrime. This training should be regularly reviewed to ensure it is keeping up with new and emerging threats.
  • Lead from the top. It is essential that senior leadership teams are engaged and informed about cyber security risk to create a culture of cybersecurity vigilance.
  • Invest in comprehensive security measures. There are a plethora of security tools and measures that must be implemented to protect modern law firms from hackers. These include advanced email filtering, email authentication mechanisms (e.g. DMARC), regular backups, maintaining up-to-date operating systems, software, and applications, network segmentation, antivirus and anti-malware software, user permission management, multi-factor authentication, and more.
  • Perform due diligence on third-party vendors. Assessing the security and privacy practices of your supply chain should be part of the procurement process. You should also keep a register of all third-party vendors, and the types of personal, sensitive or confidential information they process on your behalf.
  • Review your Incident Response Plan. Nearly three-quarters of the UK’s top-100 law firms have been affected by cyber attacks[1]. As such, it is vital that your firm develops a comprehensive incident response plan that outlines the steps to take in case of an attack and conducts regular testing to evaluate and refine the incident response process.
  • Ensure regulatory compliance. Making sure your firm is compliant with the latest data protection regulations and industry-specific cybersecurity standards will help counter the threat on cyber-incidents. This means regularly auditing and updating your security policies to align with evolving regulatory requirements.

In the ever-evolving landscape of cyber threats, the Legal Eye Academy offers online training that addresses emerging risks, cybersecurity challenges, and compliance issues. Our modules continually adapt to reflect the dynamic regulatory landscape, empowering legal professionals to stay informed and uphold their responsibilities in this digital age. For more information, contact us at 020 3051 2049.

This article was submitted to be published by Legal Eye as part of their advertising agreement with Today’s Conveyancer. The views expressed in this article are those of the submitter and not those of Today’s Conveyancer.

Legal Eye

https://www.legal-eye.co.uk/

Legal Eye works with law firms to ensure compliance and optimise performance. Their extensive and thorough knowledge of the law and regulations will ensure your law firm is compliant and your processes sound. Files are audited to ensure you are not only complying with the service level agreements you have in place, but very importantly, also the code of conduct. They provide a documented audit trail which is firstly, a requirement of the code of conduct and secondly, essential for PI Insurance purposes and very often for CQS, Lexcel and other quality accreditations. This provides documented evidence of a proactive approach towards risk management. The advice they offer is clear and practical, and they pride themselves on exceptional customer service and unbeatable work quality.

Services include:

  • Specialist expertise across the full range of regulatory, risk and compliance issues to inform your internal decision making.
  • Additional qualified resource where you simply do not have the time to review your regulatory position or to carry out essential ongoing tasks such as file reviews.
  • An online risk hub –  an online resource centre for law firms. The hub provides a comprehensive bank of resources to help COLPs, COFAs, partners, directors and managers to manage risk. It includes precedent policy and procedure documents and templates, access to online training on a range of risk and compliance topics, and a range of useful materials such as ‘how to’ guides, short videos and articles.
  • Drafting and review of key policies and procedures including the supply of ‘document packs’ to save you time researching and writing documentation.
  • Expert advice on how to comply with up-to-date regulation including the very latest requirements complete with a written set of recommendations.
  • Specialist outsourced complaints  handling service provided by former SRA and LeO officers.
  • Gap analysis of your firm’s policies, processes and procedures as they relate to the Solicitors Accounts Rules (SAR) including the production of a written report summarising the strengths and weaknesses of the current arrangements and detailing recommended next steps and actions to put your firm in an even stronger position.
  • Training on SAR and on anti money laundering (AML) as well as other finance-related training which can be delivered virtually for your firm, face-to-face (subject to government guidance) or online via Legal Eye’s Training Academy.
  • A Standard Procedures Manual to provide a practical and comprehensive roadmap for firms to follow when looking to double check whether the current operating procedures are fit for purpose, setting up a new firm – or arm of a firm – or starting a new finance function from scratch.
  • Experienced advice and support for one-off projects such as achieving quality accreditations or switching regulators.
  • Proven high quality training for fee earners and staff held at your office/s covering essential risk topics such as  Anti Money Laundering, data  protection, cybercrime, conflict of  interest and more.
  • Online training from The Legal Eye Academy – core modules available to all staff at their convenience. Includes built-in auto reminder functionality so that you no longer have to chase staff indi-vidually to complete important training. Your package includes free updates to ensure knowledge is always up to date.
  • Added value updates by email to all your key people covering all the latest updates on risk and compliance.
  • The Legal Eye team includes former solicitors, partners and directors in law firms; former case handlers at regulators such as the Solicitors Regulation Authority and the Legal Ombudsman and experienced risk and compliance professionals.
Contact: Paul Saunder Tel: 0203 0512 049 Email:  bestpractice@legal-eye.co.uk Address The Old Grammar School Church Road Thame Oxfordshire OX9 3AJ

Leave a Reply

Your email address will not be published. Required fields are marked *