Cybercriminals targeting the legal sector do so for three main reasons – extortion, theft and fraud – and they are using a variety of constantly evolving tricks and techniques to dupe targets and breach systems.
Jason Fry is a cybersecurity specialist at pav.co.uk said: “The sensitive and highly confidential nature of the information held by the legal sector presents a prime picking ground for cybercriminals – currently 4.5 per cent of all UK data breaches are occurring in the sector so it’s a serious issue and one that needs to be addressed in order to protect the profession’s integrity.
“The problem is that many law firms believe they aren’t big enough to warrant an attack by a professional hacker, but that simply isn’t the case. All law firms hold what is considered by fraudsters to be high value data and information so it is important that the sector understands and acts on the risks involved.”
Cybersecurity breaches come in many forms so knowing how they may be instigated is one of the first steps to preventing attacks and safeguarding data.
Robert Schifreen is a former UK-based computer hacker who was arrested in 1985 for breaching computers at British Telecom. He now runs a security awareness training programme called SecuritySmart.co.uk. He said: “Certainly there have been huge advances in the ways attacks are carried out and the methods that are adopted by cybercriminals. These days we see more and more sophisticated methods being put in to practice that are scarily ‘real’ to the target, such as a combination of social engineering and ‘vishing’ – fraudulent phone calls that appear to come from trusted sources. Lack of awareness, not just amongst business owners but their employees as well, is a huge part of the problem.”
‘Friday Fraud’ – a term coined specifically for the law sector due to cybercriminals becoming familiar with the profession’s practice of transferring funds on Fridays – was responsible for the theft of £85 million from British law firms between the beginning of 2015 and July 2016.
Jason continued: “Once cybercriminals discover a weak link they can quickly latch on to it and it becomes much easier for them to carry out their attacks successfully.”
So what can be done? Jason believes that reviewing a company’s cybersecurity policy is key.
“First and foremost identify the person within the firm who is responsible for making sure cybersecurity policies and procedures are in place and regularly reviewed.
“And even though it may sound obvious, from there it is about ensuring the basics are correctly and effectively addressed.”
“A robust security policy needs to not only include the traditional protection of systems, such as anti-virus and firewall software, but also iron clad processes should be adopted and communicated effectively to staff to prevent information from being leaked and to reduce the likelihood of them or their clients becoming victims of duping scams.”
Although security software and procedures will help ward off potential threats, fraudsters will always aim to be one step ahead so individuals need to keep their wits about them to avoid any unpleasant surprises.
“I would always recommend that firms seek professional advice from an IT specialist to review their policies and provide a clear plan of how to tackle any loopholes in their practice’s security systems.”