Law Firms & Cyber Security - How to Stay Protected

Key Threats & How to Respond to Them 

BCN understands that maintaining the best cyber security for law firms means staying up to date with the most suitable products, tools & services that offer the greatest protection. 

Our knowledge and industry-specific experience for the legal industry & law firms is augmented by partnerships with leading experts to ensure that BCN’s services always follow best practice with the most suitable solutions for our clients.  

As part of our IT support for law firms, we are proud to work with CloudGuard in this space and often collaborate on valuable and interesting resources to offer insights and tips for our clients and the wider industry. 

Together, we keep law firms safe from the ever-evolving cybersecurity threat landscape that they currently operate in and remain mindful of what dangers may be around the corner. 

Targeted. Monitored.  Identified. 

Targeting the Legal Sector – An Evolving Cyber Concern 

The ongoing sophisticated nature of bad actors and cyber-criminal groups means that certain industries, spaces and the organisations that work within them are high on the targeted list for cyber-attacks. All the signposts are there to indicate that the legal services are one of the most coveted targets.   

Legal services in the UK handle over £43 Billion pounds worth of transactions with 320,000 people working in the sector across almost 33,000 companies. That’s an astonishing amount of people working with valuable data every single day. 

The National Centre for Cyber Security was even moved to issue a direct warning to all UK legal organisations, stating the risks in no uncertain terms: 

“The legal sector is increasingly being targeted by cyber criminals due to the vast amounts of sensitive data, including intellectual property, personal data, and commercially sensitive information, that law firms hold.” 

It is therefore vital that all risks, vulnerabilities and blind spots must be attended to in the most comprehensive way. 

Three Major Cyber Security Vulnerabilities for Legal Services 

Cyber-crime in legal services may result from a criminal organisation, a lone operator or state-sponsored bad actors, but they will all be looking for three primary vulnerabilities to prey on for an attack. 

Insider Threats 

Insider threats posed from both malicious individuals and accidental sources present a huge risk. This can range from impersonation of key personnel that may be working on a case, social engineering carried out to gather sensitive & confidential data and even actual employees with unrestricted access to share and sell. 

Ransomware 

In the event of a successful Ransomware cyber-attack, all data is encrypted and unusable until a ransom is paid to the aggressor. For legal services there is also the double extortion threat of such sensitive information being leaked that increases the jeopardy, impact and potential reputational damage. The notorious ransomware group, LockBit, has been particularly active in the legal services around the world for the last few years, claiming responsibility for several high-profile UK victims in this space. 

Phishing 

It is impossible to overemphasise the dangers of phishing in any cyber security discussion. 89% of businesses had direct experience of a phishing attack in 2023 and that trend unfortunately continued into 2024. Advances in AI and Machine Learning have made this strategy even more difficult to spot for employees who fall foul of revealing sensitive information or allowing malware to infiltrate entire IT networks. 

A Firmer Regulatory Response 

It was clear that governments and regulatory bodies for legal services would be forced to act in response to the growing cyber security threats. With the industry undergoing large scale digital transformation over the last decade, and connectivity and data sharing becoming part of every workflow, standards are being put in place that attempt to mitigate the risks and manage the information gathered in cyber-attacks. 

In the USA, the SEC implemented new reporting requirements from the start of 2024 that impacted in three ways. Importantly, these also apply to any UK or international organisations that have companies listed in the country. With the global nature of legal services and ongoing merger & acquisitions, these new standards will already be expected of them. The SEC wants to see evidence of the following. 

•  Disclosing any material cybersecurity incident within four days of it occurring.
•  Requiring private foreign issuers to disclose or make public any material incident to any stock exchange or security holders.
•  Requiring registrants to describe their processes, if any, for assessing, identifying and managing any material risks.

The pressure is now on for legal services organisations and law firms to adhere to these regulations and avoid any punitive measures. Undoubtedly, these steps are good news and will tighten up security strategies right across the legal service supply chain, but there are still some unknowns and developing criteria that make this a significant challenge. 

Having a documented protection and response strategy will go a long way to covering your own compliance if your organisation is drawn into a cyber security event as a threatened victim of a third party. 

BCN & CloudGuard – Studies in Action 

CloudGuard ran a few case studies and tests in a non-invasive way to see how UK legal organisations are shaping up in the new worlds of cyber security for law firms. 

This makes it possible for managed service providers such as BCN to align the data from the results with our own processes, methodology and research to promote ways of making the attack surface of law firms much leaner and more capable to respond to the current threat landscape and regulatory requirements. 

The aim here is for us all to identify any blind spots for security and always provide a robust 360-degree view of your security posture 

Alarming Findings 

The studies showed that cyber security for lawyers was consistently below industry averages. The number one issue experienced in cyber security for law firms in the UK was the use of email communication to expose weaknesses and launch attacks. 

Although it may come as no surprise that phishing was the number one threat, it was alarming how little care had been taken for the basic hygiene practices that can go a very long way to bolstering security resilience and informing the new regulatory aspects required. 

Several factors may account for this with multiple disparate, and often global, IT teams responsible for cyber security across potentially hundreds of websites, domains, devices and crucially the training and education of employees, for one organisation. 

Take Essential Measures Now 

However, revisiting these essential measures or connecting with a trusted and specialist managed service provider to audit current cyber security solutions is always advised. 

Basic Phishing Hygiene – Stopping the Spoofing 

There are three basic areas of best practice and hygiene that act as defences against the threat of phishing, ransomware and insider threats in cyber security for law firms. 

This involves understanding the fundamentals of spoofing controls to prevent bad actors from successfully pretending to be someone they are not to extract sensitive information or manipulate behaviour that leads to a cyber security breach.  

DMARC (Domain-based Messaging Authentication, Reporting & Conformance).

This protocol protects against phishing by determining what to do with messages that fail the checks. 25% of the law firms studied did not have this place or had it set up incorrectly rendering it useless. 

SPF (Sender Policy Framework).
This prevents unauthorised sources sending emails from your domain on your behalf. All the organisations in the study have this applied, but without all three it loses a great amount of efficacy and offers vulnerabilities. 

DKIM (Domain Keys Identified Mail). 

This is a digital signature to verify email integrity and sender authenticity. Almost half of the law firms in the study did not have this record for their outgoing emails. 

It is essential to note that the absence of any of these three records are used by bad actors to assess vulnerabilities when considering targets for attacks. 

A Cyclical Strategy for Security 

Protect 

This baseline defence of cybersecurity for law firms provides a strong foundation for maximum protection. However, this should only ever be the beginning of an ongoing and consistent emphasis on prioritised cybersecurity for law firms. Planning & reviewing current measures, threat levels and the size of your attack surface will lead to evolved safety. 

Respond Rapidly 

Acting quickly through threat monitoring, identification and response allows you to use all available data to prioritise where your defences should be strengthened. As threats are discovered, the information is used for rapid response and optimised security for the future. Reports can greatly inform the processes and protocols then applied all the way through your supply chain. 

Iterate & Improve 

Preparing and testing any likely cyber security scenarios to see how your infrastructure will cope is a great way of maintaining resilience and awareness. This learning also needs to be combined with all the information and cyber security resources that are available to you on a general level and from industry-specific resources. Sharing and disseminating this understanding across partners and supply chain stakeholders will strengthen any future response. 

The evolution of cyber security for law firms requires maintenance, resources and prioritisation right across the organisation and its people. 

Let BCN Guide Your Cyber Security Strategy 

As a leading managed service provider for business technology, BCN is perfectly placed to review, consult and create new strategies and solutions in cyber security for law firms. 

Our team is ever present on the front line of research and development with partners like CloudGuard providing the tools for us to implement. It’s always worth talking to us about how your current strategy will hold up to attacks and what steps can be taken to improve your overall security posture. 

If you would like an initial chat with us or want to book a free secure score assessment to see if your organisation is at risk, then please do contact us straight away.