On 27 June, a global ransomware attack spread quickly across high-profile businesses including global law firm DLA Piper, which had recently produced client guidance on protecting against ransomware attacks.
Law firms are specifically targeted by cybercriminals because they hold client data and funds, and are potentially considered the ‘weak link’ in transactions between heavily regulated clients such as banks. Smaller-scale attacks include the conveyancing scam ‘Friday afternoon fraud’, where cybercriminals hack into solicitors’ email accounts to intercept homebuyers’ payments by sending lookalike emails asking transfers to be made to a different bank account.
Last week’s attack highlighted that cybersecurity is business-critical, both operationally – it shut down DLA Piper’s entire network – and in terms of business reputation.
This is reflected in the rapid growth of the global cybersecurity insurance market, which last year crossed the billion-dollar earnings mark for the first time. Insurers earned $1.35bn from cyber-insurance premiums, a 35% increase on 2015.
There is likely to be a knock-on effect on professional indemnity insurance too. PI insurers may ask firms about prevention measures, and risk management, including IT security. What are the essential measures that firms should have in place?
Most law firm IT systems are relatively secure, due to regulatory and compliance obligations around data protection, legal privilege and client confidentiality. There is also increased awareness, and the Law Society and Solicitors Regulation Authority are among multiple sources of guidance on preventing and reporting breaches.
The greatest challenge is human behaviour. Notwithstanding measures to lock down systems and data, lawyers who are under pressure will find a way round. Email is the most common way into a firm, accounting for 85% of breaches. Technology can help, including encryption and systems that identify potential threats or discrepancies, as can policies that identify and address vulnerabilities. International standard ISO 27001 is a good starting point as it also covers internet browsing, mobile device management and flexible working.
Practical measures include regular penetration testing to identify vulnerabilities, and clear communication, both with clients and internally – for example, to make it clear that senior management will never ask staff to override the firm’s procedures. A no-blame culture around phishing emails is crucial. If people feel they may be blamed, they are less likely to report a potential incident, leaving the business exposed.