Hub - Security

20th July 2016

Guidance for Law Firms Reviewing Email and Cyber-crime Security

Ransomware text on hex code illustration

Law firms need to tighten up their email security and revisit their cybercrime prevention strategies as there has been a significant increase in the number of attacks against law firms.

In particular, there has been a significant increase in the number of Ransomware attacks.  There are over 120 separate families of ransomware and researchers have seen a 3,500% increase in the criminal use of net infrastructure used to run ransomware campaigns.

Other scams include phishing emails sent to members of the public in the name of particular firms or individuals at firms, attempting to obtain bank account details or money.  There have also been warnings issued about a specific email scam targeting conveyancing firms, which invites the reader to click on links that are suspected to contain hostile and intrusive software, including viruses and other malicious programmes. The most popular virus for cyber criminals is the Crypto Locker virus. It effectively removes files from systems, demanding payment for their return – usually in Bitcoin payment – which can’t be traced back to the hacker.

As a matter of urgency, law firms should be reviewing their cybercrime prevention strategies and email security. Firms could be subject to reputational issues if clients and/or client information is affected as a result of cybercrime. They could also face reprimand by the SRA and the Information Commissioner’s Office (ICO) with potential costs if they breach the SRA’s strict Code of Conduct or the ICO’s data protection rules.

To manage cybercrime risks, CTS Technology Specialists advises law firms to:

  1. Put in place a risk management committee to review and manage the risks. This governing body should be connected to the board.
  2. Establish ownership for data protection and information security and make it responsible for reporting to the risk committee.
  3. Put in place some simple but effective data access policies and controls to systems and key data, and detail who should have access to what.
  4. Understand your data. Where is your business data and your client data? Design a data strategy or, at least, start with a workable retention policy which covers both paper and electronic material.
  5. Ensure password policies are implemented across the business.
  6. Train staff to be aware of potential threats including bogus emails and suspicious requests for information.
  7. Take advice from a specialist and review your IT security position to ensure you have a good level of email security with the correct and required services configured, to defend against external attacks and malware.
  8. Use double verification (2-factor) security to access your IT system and files and limit the potential for hackers to access all parts of your IT systems and files.
  9. Diarise regular penetration tests on your systems and enlist the help of ethical hackers who will be able to identify the weak spots in your IT. Implement all (or as many) of the recommendations as soon as possible.
  10. Take an honest view of your capability and consider moving data and applications to a competent cloud operator. Cloud operators of substance make security a centrepiece of their proposition and commit more money to the matter than you could possibly do.

For advice on how you can protect your firm, please contact us.  As a legal specialist we are happy to discuss the best approach for your firm.  Contact us:

The latest from CTS