top of page

If you're in the legal sector, don't make the same mistake

The risk to legal firms has not disappeared.

Someone signing some papers

There have been more recent attacks on legal firms, with ransomware being deployed after data has been stolen.

The attacks have had significant impact so much so that the NCSC and the ICO have sent a joint letter to the Law Society and the Bar Association to ask them to reinforce the need for cyber resilience in every firm in the UK. You can read the full letter here but below are some of the key extracts.

“It has been suggested to us that a belief persists that payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO should it undertake an investigation. We would like to be clear that this is not the case.

Law Enforcement does not encourage, endorse nor condone the payment of ransoms. While payments are not usually unlawful, payers should be mindful of how relevant sanctions regimes (particularly those related to Russia) – and their associated public guidance - may change that position. More importantly, payment incentivises further harmful behaviour by malicious actors and does not guarantee decryption of networks or return of stolen data. UK data protection law requires organisations to take appropriate technical and organisational measures to keep personal information secure and to restore information in the event of an information security incident. As regulator, the ICO recognises in setting its response and any penalty level the actions taken to mitigate the risk of harm to individuals involved in a data breach. For the avoidance of doubt the ICO does not consider the payment of monies to criminals who have attacked a system as mitigating the risk to individuals and this will not reduce any penalties incurred through ICO enforcement action.

Where the ICO will recognise mitigation of risk is where organisations have taken steps to fully understand what has happened and learn from it, and, where appropriate, they have raised their incident with the NCSC, reported to Law Enforcement via Action Fraud, and can evidence that they have taken advice from or can demonstrate compliance with appropriate NCSC guidance and support.”

The risks are huge to law firms.

People entrust sensitive details to legal teams with the expectation of confidentiality. Commercial sensitive business agreements, civil cases, even criminal cases being investigated have previously been stolen and then leaked.

Most of these attacks could have been prevented through the use of fundamental cyber security controls.

Cyber Essentials is a government accreditation which you can only obtain if you have got these fundamentals in place. With such high risk if a firm falls victim to a cyber-attack, Cyber Essentials is the minimum standard that the legal sector should be adopt. You can find out more about Cyber Essentials here.

And if you don’t know whose responsibility it is to implement cyber resilience in your firm, we’ll make it simple.

Cyber resilience is everybody’s responsibility.

Last year the ECRC, the NCSC and local police protect officers hosted a webinar about the risks to the legal sector – you can get all the information from the session here.

A legal firm who was hacked said

If the ECRC had approached us about joining the centre the day before the attack we would have been interested in what they had to say, but we would probably not have joined the centre or significantly changed our current processes around cyber resilience.’

Don’t make the same mistake.

ECRC logo

If you would like some help to improve your cyber resilience join our free community.

The Eastern Cyber Resilience Centre is a not-for-profit organisation, run by policing, with the intention of increasing cyber resilience of SMEs within the East of England.

Our members can benefit from a range of services, from helping you improve your cyber resilience through our “little steps” programme to being notified about the threats relevant to you.

Why not join our community today?

Policing led – business focused.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page