The SRA has carried out a cybersecurity review to discover more about the experiences of law firms that had been targeted by cybercriminals. 40 firms took part in the review and the SRA has now issued its report outlines its findings in five key areas:
- cyberattacks – type, volume and impact
- people – what support was provided to staff?
- technology – what controls did firms have in place?
- support – what support did firms use?
- reporting – did firms meet their reporting requirements?
Cyberattacks
Three quarters of the firms had been the target of a cyberattack. Other firms reported that cybercriminals had directly targeted their clients during a legal transaction. Most client losses were recovered from insurance companies, but a substantial sum had to be repaid directly from firms’ own money. This does not take account of the wider cost of such incidents to firms, for example higher insurance premiums, lost time and damage to client relationships.
There were often indirect financial costs to data attacks. For example, one firm lost around £150,000 worth of billable hours following an attack which crippled their system. Firms also reported that attacks were not isolated incidents. Two of the larger firms were targeted hundreds of times a year, although the vast majority of these attacks were not successful.
Cybercriminals typically used a broad range of approaches when targeting their victims. The most common methods included email modification; spyware; ransomware; viruses; denial of service attacks; and gaining remote access to a firm’s systems.
People
Cybercriminals trick their victims into sharing confidential information and provide access to their funds. According to the SRA, 60% of the firms believe that their biggest potential vulnerability to cybercrime was linked to the knowledge and behaviours of their staff. However, only around two-thirds of staff in the firms surveyed claimed to be ‘knowledgeable’ about cybersecurity and IT issues. The SRA said some firms had inadequate policies and controls in place, and around 20% had never provided specific cybersecurity training to their staff. More than half did not keep records of who had received such training.
The SRA also reviewed how firms remedied the causes of historical incidents to avoid similar issues occurring in the future. Mitigation cost firms time and money, but this was less than the amount of money lost. This highlighted that security measures often make sound business sense as well as being a regulatory requirement.
Technology
The SRA also evaluated the technological controls that firms had employed. 93% of the firms confirmed they had firewalls in place (the remainder were unsure), with more than half having firewalls round both individual devices and a wider firewall round their overall systems. All the firms confirmed that their laptops and devices were password protected. Moreover, 25 confirmed that two-factor authentication was required from staff/clients when engaging in many day-to-day activities.
All firms undertook some form of data backup exercise, while 87% made active use of anti-virus software. However there were other practices that were commonplace which could potentially make a firm’s systems vulnerable such as using external data sticks and old versions of Windows. This is significant because cybercriminals will exploit weaknesses in systems to gain unauthorised access. The best defence is to avoid the use of data sticks, to install update patches as soon as they are released and use the latest version of operating systems and browsers.
The SRA also considered each firm’s ability to respond to a catastrophic cyberattack. 68% had a disaster recovery plan in place, but some firms also admitted that the document was stored on the same system that would be the target of any attack. However, other firms had employed specialists to stress test their systems.
Support
Three quarters of firms predominantly relied on help from commercial IT specialists. The SRA says some are more reliable and knowledgeable than others. The SRA found that firms with Cyber Essentials Plus accreditation (a government scheme) were more likely to have good policies and procedures in place and have taken effective steps to protect themselves from future cyber security incidents.
Reporting
Firms and individuals must ensure that if an incident occurs, they comply with their regulatory and legal reporting requirements. This includes their duties to report incidents to the SRA, which found that 73% of firms had reported incidents; seven significant incidents were not reported, despite clear and significant breaches; and reports were not routinely made when clients were affected but the firm had not been directly involved, for example, where clients were tricked into sending money to a third party. Although reporting where only clients are affected is not a regulatory requirement, the SRA encourages reporting as the information might be useful in helping its wider work to tackle cybercrime and raise awareness of common scams.
The SRA also considered incidents where reports had to be made to the ICO. Nine firms had made a referral to the ICO following a cyberattack and nine firms encountered an incident where it appeared personal data had been accessed but no report had been made. Twenty-three firms had informed law enforcement following their last cybercrime incident. These included incidents where: a client transferred £70K to a fraudster; a further £70K transfer was made to a fraudster in an unrelated incident by another client; and a solicitor transferred £340K to a fraudster.
The future
The SRA emphasises that cybercrime is indiscriminate. All areas of the legal sector are being targeted. However, there were numerous simple and effective ways to reduce their exposure to cybercrime risks as long as firms must understand the risks they face. Most firms believed that staff were the greatest cyber risk. Firms should consider how incidents might occur and what mitigation could be used to contain and minimise an initial breach. Cyber security is an issue for any process which is wholly or partially reliant on technology, including those facilitated online, via email or through the use of any computer or device. However, ultimately it is a broader risk than the use and maintenance of technology alone. Firms need to have suitable knowledge and oversight to ensure they maintain a strategic approach to technology and security across the whole firm.