Near a quarter, 24 per cent, of firms experienced a fraud-related loss or cyber-attack in the last year; small firms slightly more than larger ones, according to NatWest’s fifth annual legal benchmarking report.
Some of them would have incurred a financial loss and potentially reputational damage, said Steve Arundale, Head of Commercial Professional Sectors, NatWest, in a foreword to the report. He said: “There is huge pressure on firms to be ever more diligent and to ensure that they have a disaster recovery plan in place.”
Generally, economically 2015 and most of 2016 were positive years for the legal sector, with high levels of consumer and business confidence, especially prior to Brexit; the financial performance of SME-sized legal firms is usually closely aligned to that of the economy.
To read the report in full online visit the NatWest website.
Comments
John Madelin, CEO, Reliance acsn, said: “The frequency of successful attacks on law firms is startling. For an industry that is trusted by its clients to protect both their data and deposits, it is concerning that they are leaving sensitive data open for hackers to access. Part of the problem is that senior leaders recognise the importance of cybersecurity, but beyond that have little clue how to approach the issue. As a result the security systems that many firms use to hold people’s data just aren’t being managed in the right way, with a patchwork of solutions being deployed without a deep understanding of the location of critical data.
“On the flip side for some time now the security industry has lacked conviction, and has fundamentally failed to educate organisations in how to manage their security holistically. It’s about using the right technology and process which includes proper alerting and alarming, but also active hunting for cybercrime. The fact is until cyber-crime is taken seriously we’re going to be fighting an uphill battle.”
Rob Norris, VP Head of Enterprise & Cyber Security EMEIA at Fujitsu, said: “It’s sad to see that law firms are falling victim to cyber-attacks so frequently, particularly since the data they hold could leave the clients they serve incredibly vulnerable to fraud. As the technical capabilities of cyber-criminals continue to outpace the UK’s ability to deal with cyber threats, it’s obvious that more needs to be done to protect organisations. Attackers will always take the easiest route possible to breach a network and often seek to bypass perimeter controls via social engineering and phishing methods, so organisations must take the fight to cyber-criminals before they can act. Get on the front-foot, be proactive and get a layered defence in place that will enable real-time threat reporting and fast solutions before a threat becomes a compromise.
“Key to this is the use of threat intelligence and other information sources. An example of this is understanding when vulnerability has been added to an exploit kit and having the knowledge of where those vulnerabilities exist on the network. Alongside this should sit a clear and well-rehearsed incident management plan, addressing internal and external communication in addition to containment and recovery activities. As the sophistication and regularity of security attacks continue to increase, it has never been more important for organisations to put security at the very top of the boardroom agenda, regardless of industry or region.”
And Steven Malone, Director of Security Management, Mimecast, said: “The fact that a quarter of law firms have been hit by a cyber-attack or fraud over the last 12 months is bad. But what is worse is that this is only half the story. Our research reveals that 20pc of UK organisations have experienced impersonation attacks from their legal departments last year. These involve hackers falsely assuming the identity of high level people within an organisation. What’s clear is that in addition to traditional threats, businesses must also lookout for these types of attacks as this could affect customers and other key stakeholder without businesses realising until it’s too late.
“Layered security which includes dedicated protection from impersonation attacks is key, along with other proactive measures such as employee awareness and secured email systems. Only then will businesses be truly cyber resilient and be able to prevent fraud.”
