If I were running a law firm, the number one thing keeping me up at night would be the threat of a cyber-attack. So no doubt the Gazette’s revelation last week that a cyber-attack on conveyancing giant Simplify had cost the group nearly £7m (and actually much more if you count the written-off goodwill) sent a shiver down the spine of every law firm partner in the country.

Rachel Rothwell

Rachel Rothwell

For the cybercriminal, law firms are very desirable prey. Even small firms can be handling vast amounts of money, especially if they are active in areas such as conveyancing, where huge sums will pass through the firm on a Friday afternoon. Meanwhile, corporate transactions can involve multi-millions.

It is not just the money, however. Law firms are also especially rich in valuable data. As well as sensitive and confidential information about whatever it is that the firm is advising their client on, there is a huge wealth of personal information that the firm is required to scan and store – copies of passports, bank statements, utility bills – that would be a veritable jackpot for cybercriminals.

And against this backdrop is the fact that any law firm’s reputation sits at the very summit of what is most important to the business. This must be protected at all costs, even if it might mean quietly paying a ransom rather than having confidential information released into the public sphere.

None of this is new, of course – law firms have been living under the shadow of a potential cyber-attack for years. Most practices are taking sensible steps to reduce their vulnerability, adopting established schemes like Cyber Essentials Plus. But on a basic level, there is much that can be done to minimise risk. For example, ensuring that data is backed up every day and stored completely separately, so that it won’t be affected by an attack. And for users, preventing them from accessing internal systems without two-factor authentication, meaning that they have to prove who they are on two separate devices before they are allowed access.

Any chain is only as strong as its weakest link, however. And when it comes to cyber-attacks, the weakest link is obvious: the human. It is very easy to find out who the individual lawyers are at a firm, their email addresses, their areas of specialism and even previous cases that they have worked on. They can then be targeted with a phishing scam enticing the individual to click on a link, which will promptly download malware on to the system.

Sometimes cybercriminals manage to gain entry into a lawyer’s email, where they will sit and wait, gathering information, until they have an opportunity to make their move. I have been told about one firm where the boss had a very particular – and rather abrupt – email style, including a habit of using three dots after a sentence. A message sent to the finance director which mimicked that style very convincingly and ordered her to pay an invoice immediately – on a day when the boss was out of the office – was very nearly successful. These so-called ‘CEO attacks’ are especially dangerous because of the natural reluctance, particularly among more junior staff, to question their boss. That is why staff training is so important.

The bad news for law firms is that these targeted scam attacks are surely about to get a lot more common and much more sophisticated, now that game-changing artificial intelligence is emerging. Even without access to a lawyer’s mailbox, AI could no doubt come up with a convincing phishing message, just using the treasure trove of publicly available information about the lawyer and their firm. But if hackers actually managed to infiltrate a mailbox – either that of the lawyer themselves, or perhaps more likely, of a client – then AI could swiftly produce something that seemed very much like the real deal in use of language, content and even tone.

These are scary times ahead. Law firms should look closely at building as much protection as they can into their software and systems, ensuring that they have a detailed and up-to-date contingency plan; and conducting regular ‘phishing tests’, with extra training for any staff who fall for the trick and click on the link. And perhaps most importantly, firms must support staff to feel confident about speaking up when something doesn’t seem right – even if it looks for all the world as if it has been sent by the boss.


Rachel Rothwell is editor of Gazette sister magazine Litigation Funding, the essential guide to finance and costs.

For subscription details, tel: 020 8049 3890, or click here