The risk to legal firms has not disappeared.
There have been more recent attacks on legal firms, with ransomware being deployed after data has been stolen.
The attacks have had significant impact so much so that the NCSC and the ICO have sent a joint letter to the Law Society and the Bar Association to ask them to reinforce the need for cyber resilience in every firm in the UK. You can read the full letter here but below are some of the key extracts.
“It has been suggested to us that a belief persists that payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO should it undertake an investigation. We would like to be clear that this is not the case.
Law Enforcement does not encourage, endorse nor condone the payment of ransoms. While payments are not usually unlawful, payers should be mindful of how relevant sanctions regimes (particularly those related to Russia) – and their associated public guidance - may change that position. More importantly, payment incentivises further harmful behaviour by malicious actors and does not guarantee decryption of networks or return of stolen data. UK data protection law requires organisations to take appropriate technical and organisational measures to keep personal information secure and to restore information in the event of an information security incident. As regulator, the ICO recognises in setting its response and any penalty level the actions taken to mitigate the risk of harm to individuals involved in a data breach. For the avoidance of doubt the ICO does not consider the payment of monies to criminals who have attacked a system as mitigating the risk to individuals and this will not reduce any penalties incurred through ICO enforcement action.
Where the ICO will recognise mitigation of risk is where organisations have taken steps to fully understand what has happened and learn from it, and, where appropriate, they have raised their incident with the NCSC, reported to Law Enforcement via Action Fraud, and can evidence that they have taken advice from or can demonstrate compliance with appropriate NCSC guidance and support.”
The risks are huge to law firms.
People entrust sensitive details to legal teams with the expectation of confidentiality. Commercial sensitive business agreements, civil cases, even criminal cases being investigated have previously been stolen and then leaked.
Most of these attacks could have been prevented through the use of fundamental cyber security controls.
Cyber Essentials is a government accreditation which you can only obtain if you have got these fundamentals in place. With such high risk if a firm falls victim to a cyber-attack, Cyber Essentials is the minimum standard that the legal sector should be adopt. You can find out more about Cyber Essentials here.
And if you don’t know whose responsibility it is to implement cyber resilience in your firm, we’ll make it simple.
Cyber resilience is everybody’s responsibility.
Last year the ECRC, the NCSC and local police protect officers hosted a webinar about the risks to the legal sector – you can get all the information from the session here.
A legal firm who was hacked said
‘If the ECRC had approached us about joining the centre the day before the attack we would have been interested in what they had to say, but we would probably not have joined the centre or significantly changed our current processes around cyber resilience.’
Don’t make the same mistake.
If you would like some help to improve your cyber resilience join our free community.
The Eastern Cyber Resilience Centre is a not-for-profit organisation, run by policing, with the intention of increasing cyber resilience of SMEs within the East of England.
Our members can benefit from a range of services, from helping you improve your cyber resilience through our “little steps” programme to being notified about the threats relevant to you.
Why not join our community today?
Policing led – business focused.