Law firms are not taking cybersecurity seriously enough
Cybercriminals love law firms; the sheer amount of sensitive information they hold on clients makes them a goldmine for scammers.
Unsurprisingly, endless reports state that law firms are the key targets.
The sector was named the worst-performing industry for data breaches last year after Hayes Connor analysed data from the Information Commissioner’s Office (ICO).
Its analysis showed that nearly 86 per cent of the incidents within the legal sector involved breaches of basic personal identifiable information, with instances affecting sensitive economic and financial data.
Tim Robinson, partner in forensic services at Crowe, told City PM that the “vast amounts of sensitive personal and financial data” they hold make them prime targets.
Now there aren’t many issues you’ll find nearly 100 per cent of businesses agreeing on something, but cybercrime seems to beat the norm.
According to Crowe’s Law Firm Benchmarking 2024 report, 97 per cent of respondents considered cybercrime and fraud resilience a high priority over the next few years.
However, this was against a backdrop of only 32 per cent of those firms providing either monthly or quarterly training to its people.
Costly event
Not surprisingly, a data breach can be many things to a business, but the most critical factor is how costly it can be to a business.
According to IBM, the global average data breach cost in 2024 was nearly $4.9m (£3.7m), a 10 per cent increase over last year and the highest total ever.
In 2022, criminal law firm Tuckers Solicitors was hit with a nearly £100,000 fine by the ICO after a data breach encrypted almost one million files.
In addition to the monetary aspects, it damages the firm’s reputation.
Robinson explained: “Clients rely on law firms to protect their data and confidentiality. A cyber-attack can quickly undermine this trust and form cracks in hard-earned relationships.”
Despite this, the legal sector isn’t taking these breaches seriously enough.
Nicky Owen, partner and head of professional practices at Crowe, pointed out that their report identified that law firms’ biggest concern remains phishing attacks, with 98 per cent of firms cited.
“Surprisingly, despite these concerns, the survey also found that only 31 per cent of law firms are providing either monthly or quarterly training for their people,” she added.
Legal regulator Solicitors Regulation Authority (SRA) found in 2020 that 20 per cent of the law firms visited had never provided specific cybersecurity training.
“It is crucial law firms do more,” stated Dan Schiappa, CPO at cybersecurity firm Arctic Wolf.
With the rise of AI, Robinson added that it is arguably more important than ever for firms to be on top of emerging threats.
“AI-enabled cyber-attacks can take a number of forms, including phishing emails and more recently deepfakes and adapted malware. Leveraging data from their targets, AI-enabled attacks can continuously adapt and refine their strategies to exploit specific vulnerabilities,” he explained.
What can law firms do?
There are a lot of spinning plates when it comes to cybersecurity, so much so that most businesses, including law firms, have the mentality of: ‘not if we are hacked, but when we are hacked’.
Back in November 2023, Magic Circle law firm Allen & Overy (now known as A&O Shearman) was targeted by a well-known ransomware hackers cybercriminal group.
A&O confirmed the data in its core systems was not been affected, adding its technical response team, working with an independent cybersecurity adviser, “took immediate action to isolate and contain the incident”.
Despite that, Crowe’s report did note that 60 per cent of law firms cited a lack of cybersecurity awareness at board level as a significant concern.
On this stat, Robinson stated that law firms must deploy a comprehensive framework integrating cybersecurity into the overall governance and risk management strategy.
“Without strong governance from leadership, a lack of tone from the top and accountability can develop and generate weaknesses in resilience,” he added.
Schiappa stated that it is a must that law firms ensure IT teams monitor for potential vulnerabilities, detect threats, and respond to malicious activity.
He noted that trusted third-party experts can provide guidance on the most critical areas to improve and work as an extension of the in-house team to respond to threats quickly.
Owen added that “investing in resilience is crucial for law firms to safeguard the future stability and success of the business.”
Eyes on the Law is a weekly column by Maria Ward-Brennan focused on the legal sector.