Cyber crime is a significant threat to law firms, with PwC’s recently published Annual Law Firm Survey highlighting that 62% of UK law firms have reported a cyber attack this year. When compared to the 40% of firms reporting an attack last year it is clear that the threat is increasing, as fraudsters become more sophisticated in their approach.
The Federation of Small Businesses estimates the average cost of cyber crime to be £4000 pa, per firm. Whilst Norton estimate the global cost of all online crime to be in the region of £237bn, clearly cyber crime is a threat not to be overlooked. Law firms make particularly attractive targets for cyber criminals because of the nature of the information they hold.
The majority of attacks come in the form of ‘Phishing’ emails, (over three quarters) but attacks can also come in the form of:
- Malware (harmful software)
- DDoS attacks
- Bogus firms
The SRA recommend the following ten steps to help protect your firm:
- User education and awareness
- Incident management
- Mobile and home working policies
- Information risk management regime
- Managing user privileges
- Removable media controls
- Secure configuration
- Malware protection
- Network security
The full recommendations can be found in GCHQ’s ‘Ten Steps to Reducing cyber Crime’ factsheet https://www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility/10-steps-summary
Considering the growing reliance on the internet to conduct business, we should anticipate that cyber crime attempts will also increase.
It is essential that firms have a robust disaster recovery plan in place, should the worst happen, but worryingly, according to the PwC report, only 32% of firms are ‘very confident’ in their IT disaster recovery capabilities.
According to the Solicitors Regulation Authority (SRA), Cyber criminals have caused “substantial losses” to 50 law firms this year, ranging from £50,000 to £2m, and a further 20 firms had fallen victim to e-mail redirection scams, involving “very substantial” amounts of money. All firms are at risk of reputational damage, increased PI cover, reprimand by the SRA and ICO, and potentially even the closure of the firm if the amounts lost are significant enough.
Firms must act now to ensure the security of their data as we will no doubt be hearing of more and more sophisticated attacks in 2016.