- 15th April 2022
- Posted by: Mark Dodds
- Category: Legal, Professional Services, Security
When people think about cyber-attacks, they tend to think about the high-profile attacks on large multinational organisations e.g., British Airways, Garmin etc. This tends to lull small businesses into a sense of false security believing that it won’t happen to them, which can be an extremely costly mistake in terms of time, money, and reputation.
Anybody that owns or works at a solicitors practice or a law firm, will be aware of the increased risks in cyber-attacks and the potential damage that a security breach could have on your company.
The reality of cyber-attacks on solicitors and law firms
In a recent survey, it was revealed that 75% of legal firms surveyed lost over 4 million pounds of clients’ money due to cyber-attacks. The report went on to reveal 23 of the 30 cases that were directly targeted saw a total of more than £4m of client money stolen. Whilst £3.6m of this money was ultimately claimed against insurance, a further £400,000 had to be repaid directly from the firm’s own expenses. These figures don’t include the wider costs such as higher insurance premiums, lost time, lost work, and damage in trust.
A cyber-attack can be detrimental to your business and in some cases be unrecoverable.
Tuckers Solicitors, a criminal law firm with offices throughout England, are a prime example of this as the Information Commissioner’s Office (ICO) recently fined them £98,000. This was because of a ransomware attack to which they were subjected in August 2020. If you’re not familiar with what a ransomware attack is, it’s where a hacker gains access to your computer network, encrypts your data and holds you to ransom i.e., unless you pay the hacker, they won’t give you back control of your data.
In this instance with Tuckers Solicitors, the hacker took control of 972,191 individual files. Of these, 24,712 related to court bundles i.e., the documents prepared and submitted to the court as part of a criminal trial. These documents comprised both personal data (names, addresses etc.) and sensitive data (medical records, criminal records). 60 of these court bundles were exfiltrated (i.e., stolen) and released into underground data marketplaces, where they could be bought by anyone.
Why did the ICO fine Tuckers Solicitors?
You may be thinking that it’s unfair to punish the company: they were the victims of a criminal act. The grounds for which the ICO issued the fine were not because of the ransomware attack but because of “Tuckers’ failure to implement appropriate technical and organisational measures over some or all of the relevant period rendered it vulnerable to the attack.”
Further, the ICO described Tuckers’ security practices as “negligent”. In simpler terms, they were fined because they didn’t do enough to prevent the cyber-attack and the data breach from happening. They had also failed to meet various standards set out by the Solicitors Regulation Authority (SRA) in its code of conduct, which resulted in them receiving an increased fine.
What were the negligent security practices?
There were three main failings, which we’d consider to be IT security basics.
Lack of Multi-Factor Authentication (MFA)
MFA is the process through which you must verify your authenticity in addition to entering a username and password. Common examples include entering a code you’ve been sent by text or email or opening an app to confirm you are logging in. Tuckers were not using MFA for remote access to its system making them vulnerable to attack despite their own GDPR and Data Protection Policy requiring this. The ICO determined that using MFA would have substantially increased the difficulty of an attacker entering its network.
Lack of updates
You might have heard the term ‘patches’, which refers to a software update that fixes a security vulnerability once it has been identified. Here, one of the systems used by Tuckers had identified a vulnerability in December 2019 and issued a patch in January 2020. Tuckers failed to install the patch until June 2020 allowing a large window of time during which the vulnerability could be exploited by hackers.
Lack of data encryption
The 972,191 files were stored on an archive server and had not been encrypted. This means that all the data was immediately accessible as plain text whereas encrypted data requires a decryption tool before it can be read. Data encryption won’t prevent a cyber-attack, but it would have mitigated the impact of the attack as client information couldn’t have been read or stolen.
What your law firm can do to mitigate the risk and impact of a cyber-attack
The good news is that it’s relatively straightforward and affordable to avoid the situation in which Tuckers found themselves as well as the fine they received. Although, we should add that no measure will ever 100% prevent an attack: it’s just that you might be able to limit the success of attacks
There are two free and effective steps you can take straightaway.
- Implement two-factor authentication
- Encrypt computers (NB: you will need Windows Pro to do this)
Then we tend to suggest the following to our clients:
- Appropriate security software on your devices – protect against the latest threats such as viruses or malware etc.
- A business-grade firewall that is effectively maintained and monitored – prevent attacks and see any attempted attacks in real time.
- Enterprise level email security – limit email borne threats like a dubious phishing link.
- Realtime monitoring of your Microsoft 365 system – identify when an attack is happening.
- Installing devices updates promptly – ensure known vulnerabilities are secured.
- A resilient backup strategy – data is stored separately and securely so it can be restored.
- Password management – two factor authentication and strong passwords that are frequently updated.
- User awareness training – ensure employees don’t accidentally create vulnerabilities through their actions.
We’ll finish by saying well done to Tuckers as they reported the breach to the ICO, which is what you should do but some might well be tempted to cover it up. If you’d like to find out more about the Solicitors Regulation Authority and cyber crime, then you can do so here.
If you want to talk about your cyber-security setup, please get in touch.