PalisadeSECURE’s Luke Drewer discusses the increased threat of cyber attacks and how law firms should be protecting themselves
There is a new weapon of war being deployed around the world. You cannot see it, but the evidence is all around us. In response to the recent US, UK and French strikes targeting President Bashar Assad’s chemical weapons in Syria, it is thought that Russia will launch a ‘dirty cyber war’ and Britain is getting prepared.
Law firms are attractive targets for cyber criminals and attacks are often indiscriminate – size and revenues do not seem to matter. It is thought that 62% of law firms are the victim of cyber attacks, with only 35% of law firms having a mitigation plan in place in the case of an attack.
In December 2017, a London law firm suffered a cyber attack causing emails to be sent out from a law firm address. The firm’s email account had been hacked and 16,000 emails were sent under the subject ‘Action required – Matter for Attention’, asking recipients to open an ‘urgent’ attachment.
In a recent survey carried out by SiO4 analysing the top ten UK law firms ranked by turnover, they found one of the top five firms had just over 7,800 compromised credentials out in the dark web, with the newest password updated within ten days of the report being generated.
Information held by law firms is often highly sensitive for both the firm and their clients, and if compromised can cause significant damage to the firm’s integrity.
Regulation and punitive fines have significantly changed the landscape within the finance sector over the past ten years and evidencing is a critical part of assurance and governance. It is no longer good enough to tick boxes – a company may have a robust information security policy in place, but is it tested? Is it reviewed at least annually? And does it have senior partners’ sign off?
In response to the ever-increasing cyber threat, the UK government have pledged to make the UK the safest place to do business and to this end have developed the Cyber Essentials program to ensure UK companies are doing what they can to mitigate as much of the threat as possible, and this is seen as hacking and malware.
Cyber Essentials specifically looks at five key areas that a business should be addressing:
1) Securing your internet connections – this is done through a firewall.
2) Securing your devices and software – this is ensuring you have robust password policies in place and hardened device configuration.
3) Controlling access to your data and services – this is to ensure only the users you want to have access to your information and services within your network have the access they require.
4) Protection from viruses and other malware – ensuring that your anti-virus and malware programs are kept up to date at all times and are configured adequately.
5) Keeping your devices and software up to date – it is thought that doing this alone reduces your risk profile by up to 80%.
Cyber Essentials Plus provides independent testing of these controls and a level of assurance that your business and the data you hold is protected according to the Cyber Essentials program.
In an age where cyber warfare is the weapon of choice, we all have a collective responsibility to act and to protect information we hold on systems we own.
For more information, please contact:
Luke Drewer, chief executive and founder, PalisadeSECURE,
East of England cyber security ambassador for Institute of Directors
T: 01702 749 651
To return to the Law Tech Focus menu, please click here.