The UK’s National Cyber Security Centre (NCSC) has released updated guidance to help law firms mitigate the latest cyber-threats.
Worth an estimated £44bn ($56bn), the sector employs over 320,000 people and consists of roughly 33,000 businesses, according to the report. However, the size of these organizations and the amount of resources they dedicate to cybersecurity can vary significantly.
PwC claimed last year that the top 100 law firms spent an average of 0.46% of fee income on cybersecurity in 2022.
Read more on legal sector cyber-threats: Nearly One Fifth of Law Firms Show Signs of Compromise
They are a popular target for attack for several reasons. Lawyers typically handle highly sensitive information for their clients, some of which could be used for insider trading or gaining the upper hand in negotiations and litigation, the NCSC warned.
Law firms also handle significant volumes of funds for their clients, and disruption due to ransomware can be costly. Smaller firms may also use external IT service providers, exposing them to possible supply chain attacks and making it difficult for them to assess their true level of cyber maturity.
Among the main threats to the sector highlighted by the report are:
- Phishing emails designed to steal credentials or install malware
- Business email compromise (BEC) aimed at tricking victims into wiring large sums of money to the attacker
- Ransomware and other malware that could disrupt operations and steal sensitive information
- Password attacks, which typically take advantage of poor security practices
- Supply chain attacks, which smaller law firms are particularly exposed to
“It is vitally important that solicitors and law firms, whether large or small, are aware of the cyber-threats they face and take steps to safeguard their systems,” argued Law Society president, Lubna Shuja.
“This new report from NCSC is a timely intervention that will be an essential resource for our members, providing information, practical guidance, and tools to help the legal sector protect the sensitive data it holds against cyber-attack.”