Phil Limb and Marianne McWilliams from Miller’s Solicitors team recently spent time with Nic Miller of Aedile Consulting to discuss the cyber threat landscape for law firms. In the first of our four-part series, we discuss Nic’s views on why law firms are more vulnerable to cyber-attacks.
Are law firms at higher risk than other professions?
All firms face an increasing risk of cyber-attacks, predominantly for financial purposes and monetisation by the attacker. We have seen a huge growth in attacks against small, medium and large businesses that are specifically designed to either extort money from a business or to conduct some sort of fraud. Law firms are not in any way immune from that risk, and in fact have a heightened exposure to two of the key risk areas.
One of the attractions for cyber criminals is if a firm moves a lot of money through its business, be that their own funds or that of clients, as they will seek to identify and reroute those transactions. In some industries you see this being done with high value invoices, but any high value payment is a good target for cyber-crime groups.
Is there a particular financial target that cyber criminals aim for?
Any significant amount of money that's easy to reroute is a target. The hardest funds to reroute are small transactions that always go from the same place to the same place. The larger the transaction and the more infrequent, the easier it is to disrupt because it goes to a new place every time so it’s easier for a cyber-criminal to add their bank account as the new destination. Whereas if that money has for the last 1000 times gone to the same bank account, trying to get it to go to a different one is difficult.
But any kind of big financial transfers are absolutely a target. And to be honest, what constitutes as big is also something that companies don't necessarily think about. If you're a cybercrime group and you can get your hands on even just £10,000 with little to no effort, for say half an hour’s work, that's a huge payout.
The bigger, more organised groups will go after the larger payouts, partly because they're bigger and they need to pay more people, but also because they know they have the skills to do it. But there are also lots of individuals who are not necessarily affiliated to the bigger groups, who might just be doing it for themselves. These might be lower sophistication attackers who don't want to target bigger firms because they might be better protected. Again, if an individual can secure £10,000 to £20,000 a day in fraud then there is an incentive to do that.
It does put things into context as some will think “my firm’s less likely to be a target, I'm not doing conveyancing, I'm not a big firm”.
Some attackers will download a target list of random email addresses harvested from the internet and go from there. Many start to focus their efforts, whether that’s targeting an industry vertical, a type or size of company. They're not interested in you, per se, but you are still on a list because you are the right type of company, right size for that attacker. The problem is there are so many attackers out there. Each one has their own criteria. It's not possible to know which lists you're on. In cybercrime, everyone is on someone's list, and that's just the reality at this point.
Are conveyancing firms more vulnerable?
Conveyancers are vulnerable for two reasons. One being the high value transactions they handle, and the other is that every payment is a unique transaction, so there is no trusted place that you pay to. Adding to this is the time pressure to complete and exchange at certain times. Every time you're sending a one-off payment to a new destination, that's about the riskiest thing you can do from a fraud perspective. It's the easiest thing to target.
Conveyancers are probably more regularly targeted, however anything that looks big enough is a target, so this could be a big personal injury or a wills and trust settlement.
What else increases the risk or a firm being targeted?
It’s also about who firms are communicating with. Processes and procedures can be put into place with other law firms, but that’s not as easy when communicating directly with clients. Other law firms can have technical security measures on their email that helps you validate them, but with an individual, how do you know for certain that it’s their personal email address? Anyone can sign up for a new email address with anyone's name. Plus the dynamics are different. So if you email the client on one address and they reply on another, have you got a process to verify it’s them?
Law firms also hold highly sensitive client files that if leaked, would be potentially embarrassing to their clients and probably very damaging to the law firm from a reputational perspective.
How long does is it take a firm to recover from a cyber-attack?
Recovery is almost certainly going to take weeks, possibly even months. Most firms have business continuity plans in place for physical disruptions to their network. For example, they might run their data on two different servers, but the problem with cyber attacks is that they don't operate with that physical separation. If the data is corrupted, that change is replicated everywhere, meaning unless you have properly separated backups of your data, there isn't anything left working to start your recovery from.
There’s practical considerations too and a lot of those business continuity preconceptions start to breakdown when companies exercise or actually experience an attack. One example is what equipment are you going to use to reinstate the system? Any desktops won’t be working and if you bring in additional laptops but have security controls that stops laptops being plugged in off the shelf, how are you going to log into the system to turn off the security?
It’s easy to underestimate the complexity and how long it will take to recover, and overestimate the ability to identify and fix the underlying problems because typically, unless you've had security alerts that you've not responded to, when an attack launches, it was probably somewhat out of the blue.
If you have any further questions about anything discussed in this article, or wish to discuss your cyber insurance arrangements, please email firstname.lastname@example.org or contact any of the team below.