Cyber criminals turn their attention to the legal sector




We are now more digitally advanced and switched on than ever. With lockdown, online transactions grew 16% year-on-year as we used the ‘net for all our shopping needs. Similarly, businesses adapted, albeit more slowly, to this new way of doing things.


Yet, this has inevitably brought risk, with cyber criminals taking full advantage of the unsuspecting and vulnerable, and the threat is increasing.


The legal sector, for example, is an industry which has much to lose. Whether it is the personal details of clients involved with lawsuits, details of mergers and acquisitions, intellectual property or the details of a mortgage, criminals will take and exploit everything they can. When this happens, the targeted law firm’s reputation will be damaged and the organisation itself or the lawyer involved could face legal action for not putting in necessary security steps to impede the data breach which has allowed the sensitive information to end up in the hands of cyber criminals.


These online intruders are highly professional at what they do and with ransomware being their threat of choice, they are honing their skills to become ever more adept in their techniques in abstracting data through this type of attack. The average time to identify a breach in 2020 was 228 days (IBM).


What are the future trends?

1 – Cyber Essentials

Law firms must understand where sensitive client data lies, how it is being secured, what administrative and technical measures they take to protect confidential information and be able to show that they take this risk seriously. Having a formal accreditation such as Cyber Essentials is one way of showing this.

2 – Cloud migration

The cloud offers increased security against data theft which law firms cannot overlook, however there are still risks involved especially around misconfiguration. A Gartner study found that 95% of Cloud breaches are the result of the result of misconfigurations. A remote vulnerability assessment can also show up any obvious weaknesses.

3 - Phishing

This remains the main attack route for all firms and emphasises the need to train all staff within an organisation about the risks of cybercrime. In a scam email or text message, a criminal’s goal is to convince the receiver to click a link. Once clicked, you may be sent to a dubious website which could download viruses onto your computer or steal your passwords and personal information.

Over the phone, the approach may be more direct, asking you for sensitive information, such as banking details.

They do this by pretending to be someone you know well, or from an organisation you trust. This could be your internet service provider (ISP), local council, or a customer.


What can legal firms do?

- Staff awareness training – ensure your staff know the warning signs of a phishing email and what to do if they get one.

- Passwords – make sure you change default passwords on all devices and systems. Most default passwords can easily be found online. Passwords need to be unique and complex, both for admin accounts and basic users. Consider whether a password manager could help your staff remember and generate strong passwords.

- Update your systems – ensure all your devices and systems are updated as soon as possible. Criminals are aware of the vulnerabilities in systems and will actively try to exploit them as soon as they can.

- Have offline backups and test the recovery of data from them - database backups are essential for protection against data loss that can completely disrupt business operations.

- Join the Eastern Cyber Resilience Centre (ECRC) with free core membership – we can provide up-to-date guidance, tools and details of threats in the region as well as affordable cyber services.

- Get Cyber Essentials accredited – Cyber Essentials is a simple but effective, government-backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber-attacks. It mitigates up to 90% of common cyber threats and the ECRC Trusted Partners are accreditation bodies which can help you achieve this.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.