Under cyberattack: How can law firms defend themselves?
Read time : 10 mins Added: 19/05/2023
Amidst the surge in digitalisation, cybercriminals are mobilising on an industrial scale. 39% of businesses in the UK identified a cyberattack during 2022, with at least one in five (21%) experiencing a sophisticated attack such as ransomware or malware. Hackers have more opportunities than ever at their fingertips, meaning that an attack is no longer a case of ‘if’, but ‘when’. What’s more, given that law firms have access to valuable transactions and data, the legal sector is a lucrative target.
Taking aim: Why do cybercriminals have law firms in their sights?
Law firms are the linchpins of business and commercial transactions. They enable high value deals, handle significant sums of money and store huge quantities of confidential client data. As a result, they offer an attractive opportunity to cybercriminals looking to either steal these assets, or use them to extort the firm. This is confirmed by the volume of attacks experienced by solicitors; 75% of firms interviewed by the Solicitors Regulation Authority (SRA) had been the subject of a cyberattack.
Understanding the threat: Which kind of attacks are law firms most exposed to?
The most common cyberthreat facing law firms is phishing, or the practice of sending emails or messages to manipulate users into revealing sensitive information. In 2020, 83% of attacks on businesses were deployed via phishing techniques, with just under half (48%) reporting that phishing was the sole form of cyberattack they had experienced.
While some examples of phishing or social engineering can be easy to identify, with spelling errors, requests for payment via links, incorrect company logos and anonymous or unknown senders all pointing towards the likelihood of a phishing attempt, techniques have become more advanced. The use of ‘spear phishing’ – a more targeted attempt which uses specific or personal information of interest to the target – means that the cybercriminal’s fraudulent email can be well informed and look indistinguishable to the real thing.
Law firms should also be conscious of other cyberthreats such as ‘man-in-the-middle’ attacks, which can be used to misdirect funds, and SQL injections (the insertion of malicious code into the target’s system, application or website). Malware and ransomware also represent risks to the legal sector, especially since the latter is designed to block access to vital systems and services, such as client databases and sensitive documents. Ransomware attacks are gathering speed, with the number of incidents reported to the Information Commissioner’s Office (ICO), doubling between 2020 and 2021.
Assessing the damage: What are the financial risks to law firms?
When a cybercriminal strikes, the cost – both financially and in terms of resources – can extend far beyond the attack. Directly, there is the cost of the attack itself, which could come either in the form of the funds stolen from the firm, or in the money (often in the form of cryptocurrency) demanded by the cybercriminals via blackmail.
However there is also the aftermath to consider, in terms of the cost of complying with UK GDPR regulations. In the event of an attack that leads to a data breach, the firm must inform the ICO within 72 hours and notify any affected individual of the loss of their data, which can be expensive both in terms of time and the required expertise.
On another level, there are also the costs incurred as a result of the disruption caused to consider, particularly in the event of a ransomware attack during which all files will be encrypted and systems rendered useless. According to the SRA, one firm lost £150,000 worth of billable hours as a result of an attack which crippled their system and resulted in their solicitors being unable to do their jobs.
The financial repercussions of a cyberattack can also occur on a long-term basis in the form of reputational damages. The loss of clients’ trust can devastate a business such as a law firm, whose core proposition is dependent on reliability, responsibility and security.
Finally, although the attack is digital, the effects can be very much human. Firms interviewed by the SRA confirmed that cyberattacks caused life-changing repercussions including an increased level of stress and debilitating anxiety among staff, impacts on employee’s ability to retire, and firings and demotions.
"Threat-actors arbitrarily attack organisations and activity has only proliferated owing to the increased surface-attack area amid remote working, and the increased cross-pollination of supply chains. Coupled with a greater dependency on outsourced IT vendors and an ever-increasing move to public cloud platforms, this presents greater opportunities for the exploit of personal data or the infiltration of funds; stored, transferred or held in escrow. It is not a matter of if, but when, for organisations of any operation or size."
Building the shield: How to develop a cyberdefence strategy
Just as you’d use a number of different security measures to keep your physical premises safe – from multiple locks to alarms and security cameras – the same should be true when it comes to defending your business online.
Here are seven tips to ensure that your firm is prepared in the event of an attack:
Plan for action: Develop a cyberattack incident management strategy. Identify the company’s critical information, assets and services and understand where they are stored. Select key individuals who will take charge when an incident occurs, which actions should take place to manage the event, and note the details of IT vendors and cyber liability insurance policies. Currently, just 19% of businesses have a formal incident response plan, while 39% have assigned roles in the event of a crisis.
Go offline: Keep a hard copy of the strategy so that if the firm’s system is locked as a result of a ransomware attack, the information is still accessible.
Brick by brick: You can consult the step-by-step guidance offered in Lloyds Bank’s Cyber Guidance (PDF, 5.1MB) brochure. For a more comprehensive view, we strongly recommend that you consider becoming certified through the government’s Cyber Essentials scheme.
Knowledge is power: Mitigate the risk of human error by training all colleagues on topics including how to spot phishing emails through tests or simulations, how to set up secure passwords, and how to safeguard client data, as well the processes to be followed when transferring sums of money.
Duplicate and defend: Backup all files offline regularly (not connected to your network) to minimise disruption and loss in the event of a data breach or ransomware attack. These should be kept offline also to avoid threat actors compromising these also – leaving the firm with no viable backups with which to restore systems from.
Gain peace of mind: Given that 31% of UK businesses experienced a cyberattack at least once a week during 2022, law firms cannot afford to be unprepared. Lloyds Bank offers bespoke cyber liability insurance2 through our partner, AJ Gallagher, which can include a review of your exposure to cyber liabilities, help with developing cyber risk management procedures, and recommendations of firms to help you respond to an attack.
Maintain operations: It’s estimated that in 2022, the average estimated cost of each cyberattack was £4,200, rising to £19,400 when looking exclusively at medium and large businesses. If unprepared, the financial ramifications of a cyberattack can choke a business’ cashflow, leaving the business itself in jeopardy. Explore working capital solutions available through Lloyds Bank to ensure that your firm can still operate if cybercriminals strike.
Where to go from here:
In addition to the above, consider the questions expressed in our Cyber Risk Guidance (PDF, 5.1MB), such as:
- Who might want to attack your firm, and what might the impact of a successful attack be?
- Do you have a risk appetite for different types of cyber events impacting your businesses?
- Do you know where your business is vulnerable and how you can resolve this?
- Have you risk assessed how well your critical assets are protected?
- Do you have a process to regularly review key information, data assets, and the cyber threat to your business?
As digital transformation surges, cyberattacks on businesses – especially in the legal sector – have become inevitable. Lloyds Bank is here to support you as you develop your cybersecurity strategy, so speak to your Relationship Manager for more information on how we can play a role in defending your firm.
1 eDiscovery is a process that enables solicitors to identify and supply digital information that can be used as evidence.
2 Lloyds Bank plc is an introducer to Arthur J. Gallagher Insurance Brokers Limited who arrange and administer Lloyds Bank Business Insurance Services and source products from a panel of insurers.
Important Legal Information
Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.
The products and services outlined on this site may be offered by legal entities from across Lloyds Banking Group, including Lloyds Bank plc and Lloyds Bank Corporate Markets plc. Lloyds Bank plc and Lloyds Bank Corporate Markets plc are separate legal entities within the Lloyds Banking Group.
Lloyds Bank is a trading name of Lloyds Bank plc, Bank of Scotland plc and Lloyds Bank Corporate Markets plc. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no.2065. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Lloyds Bank Corporate Markets plc. Registered office 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 10399850. Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority under registration number 119278, 169628 and 763256 respectively.
We adhere to The Standards of Lending Practice which are monitored and enforced by the LSB: www.lendingstandardsboard.org.uk.
Eligible deposits with us are protected by the Financial Services Compensation Scheme (FSCS). We are covered by the Financial Ombudsman Service (FOS). Please note that due to FSCS and FOS eligibility criteria not all business customers will be covered.