Good things are happening in British business
Find out how some of our customers have evolved their businesses in innovative ways.
Read time : 10 mins Added: 19/05/2023
Amidst the surge in digitalisation, cybercriminals are mobilising on an industrial scale. 39% of businesses in the UK identified a cyberattack during 2022, with at least one in five (21%) experiencing a sophisticated attack such as ransomware or malware. Hackers have more opportunities than ever at their fingertips, meaning that an attack is no longer a case of ‘if’, but ‘when’. What’s more, given that law firms have access to valuable transactions and data, the legal sector is a lucrative target.
Law firms are the linchpins of business and commercial transactions. They enable high value deals, handle significant sums of money and store huge quantities of confidential client data. As a result, they offer an attractive opportunity to cybercriminals looking to either steal these assets, or use them to extort the firm. This is confirmed by the volume of attacks experienced by solicitors; 75% of firms interviewed by the Solicitors Regulation Authority (SRA) had been the subject of a cyberattack.
The most common cyberthreat facing law firms is phishing, or the practice of sending emails or messages to manipulate users into revealing sensitive information. In 2020, 83% of attacks on businesses were deployed via phishing techniques, with just under half (48%) reporting that phishing was the sole form of cyberattack they had experienced.
While some examples of phishing or social engineering can be easy to identify, with spelling errors, requests for payment via links, incorrect company logos and anonymous or unknown senders all pointing towards the likelihood of a phishing attempt, techniques have become more advanced. The use of ‘spear phishing’ – a more targeted attempt which uses specific or personal information of interest to the target – means that the cybercriminal’s fraudulent email can be well informed and look indistinguishable to the real thing.
Law firms should also be conscious of other cyberthreats such as ‘man-in-the-middle’ attacks, which can be used to misdirect funds, and SQL injections (the insertion of malicious code into the target’s system, application or website). Malware and ransomware also represent risks to the legal sector, especially since the latter is designed to block access to vital systems and services, such as client databases and sensitive documents. Ransomware attacks are gathering speed, with the number of incidents reported to the Information Commissioner’s Office (ICO), doubling between 2020 and 2021.
When a cybercriminal strikes, the cost – both financially and in terms of resources – can extend far beyond the attack. Directly, there is the cost of the attack itself, which could come either in the form of the funds stolen from the firm, or in the money (often in the form of cryptocurrency) demanded by the cybercriminals via blackmail.
However there is also the aftermath to consider, in terms of the cost of complying with UK GDPR regulations. In the event of an attack that leads to a data breach, the firm must inform the ICO within 72 hours and notify any affected individual of the loss of their data, which can be expensive both in terms of time and the required expertise.
On another level, there are also the costs incurred as a result of the disruption caused to consider, particularly in the event of a ransomware attack during which all files will be encrypted and systems rendered useless. According to the SRA, one firm lost £150,000 worth of billable hours as a result of an attack which crippled their system and resulted in their solicitors being unable to do their jobs.
The financial repercussions of a cyberattack can also occur on a long-term basis in the form of reputational damages. The loss of clients’ trust can devastate a business such as a law firm, whose core proposition is dependent on reliability, responsibility and security.
Finally, although the attack is digital, the effects can be very much human. Firms interviewed by the SRA confirmed that cyberattacks caused life-changing repercussions including an increased level of stress and debilitating anxiety among staff, impacts on employee’s ability to retire, and firings and demotions.
"Threat-actors arbitrarily attack organisations and activity has only proliferated owing to the increased surface-attack area amid remote working, and the increased cross-pollination of supply chains. Coupled with a greater dependency on outsourced IT vendors and an ever-increasing move to public cloud platforms, this presents greater opportunities for the exploit of personal data or the infiltration of funds; stored, transferred or held in escrow. It is not a matter of if, but when, for organisations of any operation or size."
Just as you’d use a number of different security measures to keep your physical premises safe – from multiple locks to alarms and security cameras – the same should be true when it comes to defending your business online.
Here are seven tips to ensure that your firm is prepared in the event of an attack:
Plan for action: Develop a cyberattack incident management strategy. Identify the company’s critical information, assets and services and understand where they are stored. Select key individuals who will take charge when an incident occurs, which actions should take place to manage the event, and note the details of IT vendors and cyber liability insurance policies. Currently, just 19% of businesses have a formal incident response plan, while 39% have assigned roles in the event of a crisis.
Go offline: Keep a hard copy of the strategy so that if the firm’s system is locked as a result of a ransomware attack, the information is still accessible.
Brick by brick: You can consult the step-by-step guidance offered in Lloyds Bank’s Cyber Guidance (PDF, 5.1MB) brochure. For a more comprehensive view, we strongly recommend that you consider becoming certified through the government’s Cyber Essentials scheme.
Knowledge is power: Mitigate the risk of human error by training all colleagues on topics including how to spot phishing emails through tests or simulations, how to set up secure passwords, and how to safeguard client data, as well the processes to be followed when transferring sums of money.
Duplicate and defend: Backup all files offline regularly (not connected to your network) to minimise disruption and loss in the event of a data breach or ransomware attack. These should be kept offline also to avoid threat actors compromising these also – leaving the firm with no viable backups with which to restore systems from.
Gain peace of mind: Given that 31% of UK businesses experienced a cyberattack at least once a week during 2022, law firms cannot afford to be unprepared. Lloyds Bank offers bespoke cyber liability insurance2 through our partner, AJ Gallagher, which can include a review of your exposure to cyber liabilities, help with developing cyber risk management procedures, and recommendations of firms to help you respond to an attack.
Maintain operations: It’s estimated that in 2022, the average estimated cost of each cyberattack was £4,200, rising to £19,400 when looking exclusively at medium and large businesses. If unprepared, the financial ramifications of a cyberattack can choke a business’ cashflow, leaving the business itself in jeopardy. Explore working capital solutions available through Lloyds Bank to ensure that your firm can still operate if cybercriminals strike.
Where to go from here:
In addition to the above, consider the questions expressed in our Cyber Risk Guidance (PDF, 5.1MB), such as:
As digital transformation surges, cyberattacks on businesses – especially in the legal sector – have become inevitable. Lloyds Bank is here to support you as you develop your cybersecurity strategy, so speak to your Relationship Manager for more information on how we can play a role in defending your firm.
1 eDiscovery is a process that enables solicitors to identify and supply digital information that can be used as evidence.
2 Lloyds Bank plc is an introducer to Arthur J. Gallagher Insurance Brokers Limited who arrange and administer Lloyds Bank Business Insurance Services and source products from a panel of insurers.