018
Guidance for Legal Practitioners The Who, How and What to do of Cyber Attacks The legal sector deals with valuable and often confidential data, it facilitates large transactions on a daily basis and provides access to all kinds of businesses across the supply chain. All these factors make law practices extremely high value targets for cyber attacks. Who is attacking you? 1. The majority of cyber attacks are carried out by criminals who are motivated by financial gain. As highlighted by Crowe UK, statistics show that cyber crime now accounts for over half of all crimes committed. 2. Threats can also come from your competitors or through your supply chain. 3. A significant threat, often under-estimated, is one from your own staff. A disgruntled current or former employee can act to get revenge or simply for financial gain. How are you being attacked? Threats to law practices involve the full array of cyber-attack methods, including phishing emails, ransomware, hacking, denial of service attacks, and the ever-evolving strategies of social engineering. Due to the frequent movement of funds through company bank accounts, law firms are particularly vulnerable to fraud. Conveyancing fraud is now so common that it even has its own nick name. It involves those who are about to complete on a sale or purchase of a new home. Someone from the finance team in the solicitor’s office may be conned by a fraudulent email or phone call advising them that client account details have changed, or indeed the customer may be deceived into paying a large payment into a criminal account. Sadly, those involved realise too late that they have been victim to ‘Friday afternoon fraud’. Untargeted attacks Cyber criminals attack law firms intentionally, yet also and more commonly, indiscriminately. In fact, the majority of cyber attacks are untargeted and use commodity tools to attack large numbers of devices, services and users at the same time in a random way. Most cyber attacks are made up of repeated stages that are probing for further information that can lead to a more targeted attack. These attacks exploit basic weaknesses that can be found in many organisations such as poorly configured firewalls, software that hasn’t been updated and legacy computer systems that
spg.uk.com
are no longer supported. 90% of all cyber attacks starts with a phishing email (a fraudulent email sent by cybercriminals that mimics a legitimate communication from a trusted source). Vishing is the name given to a fraudulent phone call, where someone pretending to be from your bank, a trusted company or service, or even the police will try to trick you into revealing personal or confidential information. These can be part of a wider campaign where fraudsters are gathering information for a larger attack. Ransomware In the last couple of years, ransomware has become one of the most popular cyber-attack methods that cybercriminals use to target law firms. A typical ransomware attack begins with a phishing email which usually contains a link and a message designed to encourage the recipient to click the link. Once clicked, the ransomware installs on the computer. Ransomware encrypts an organisation’s files rendering them inaccessible until either a ransom is paid, or the organisation reverts to backups to bring the network back online. Ransomware can also be delivered into a practise’s system by hackers who are able to exploit a vulnerability somewhere in the network. The attacker is often able to access the company network so they can sabotage systems and steal information. Double-extortion ransomware Many organisations are now prepared and have appropriate backups in place to mitigate a traditional ransomware attack. A doubleextortion ransomware attack, however, allows the attacker to increase the likelihood of receiving a ransom payment by threatening to leak stolen data onto the internet. Sensitive and confidential information appearing on social media can clearly be a reputational disaster for any practice. Distributed denial of service attack It is not difficult in today’s world to arrange a distributed denial of service attack (DDoS) against someone’s website or online services. A DDoS attack is launched using an army of connected devices (known as a botnet) that are infected with malware in order to allow them to be controlled by a central computer. The attacker can then command the botnet to bombard the website server with a flood of requests which overloads the server until it crashes, taking it out of use.
Hacktivism Law firms who are linked to politically or environmentally sensitive cases could be the target for hacktivism. This is the act of hacking, or breaking into a computer system, for a politically or socially motivated purpose. Insider data breaches An “insider” data beach describes a breach which has been generated by one of your staff. The majority of insider data breaches are accidental and the best way to combat these are through training and robust processes and controls. However, insider data breaches also include employees stealing confidential information from the firm, often in order to leak to competitors, cybercriminals, or take to a new job. How do you protect yourself? The Cyber Essentials controls will help an organisation defend against most un-targeted attacks. The process of putting in place the five core controls will eliminate all the common security gaps that up to 90% of cyber attacks rely on. Remember, even targeted attacks, usually start with simple attacks such as a phishing campaign. The National Cyber Security Centre (NCSC) recommends a multi-layered set of mitigations to improve your organisation’s resilience against phishing attacks. Cyber Essentials focuses on five technical controls that form key elements in the layers that will help mitigate a phishing attack and other un-targeted cyber attacks. • Even if a malicious link is clicked, securely configured devices decrease the impact of malware on the wider system or stop malware installing in the first place. • Security update management can prevent attackers from using known vulnerabilities. Using supported software and devices and making sure they are kept up to date with the latest software updates, as well as buying software and apps from trusted sources, reduces the opportunities for hackers. • Accounts can be made more secure by adding two factor authentication to the log-in processes. This will mean that, even if credentials have been compromised, an attacker cannot gain access. The number of accounts with privileged access should also be limited to the absolute minimum to reduce the potential damage from a cyber attack. • People with administrator accounts should