Guidance for Legal Practices – The Who, How and What to do of Cyber Attacks

Aug 11, 2021 | Legal

The legal sector deals with valuable and often confidential data, it facilitates large transactions on a daily basis and provides access to all kinds of businesses across the supply chain.

All these factors make law practices extremely high value targets for cyber attacks.

Who is attacking you?

  1. The majority of cyber attacks are carried out by criminals who are motivated by financial gain. As highlighted by Crowe UK, statistics show that cyber crime now accounts for over half of all crimes committed.
  2. Threats can also come from your competitors or through your supply chain.
  3. A significant threat, often under-estimated, is one from your own staff. A disgruntled current or former employee can act to get revenge or simply for financial gain.

How are you being attacked?

Threats to law practices involve the full array of cyber-attack methods, including phishing emails, ransomware, hacking, denial of service attacks, and the ever-evolving strategies of social engineering.

Due to the frequent movement of funds through company bank accounts, law firms are particularly vulnerable to fraud. Conveyancing fraud is now so common that it even has its own nick name. It involves those who are about to complete on a sale or purchase of a new home. Someone from the finance team in the solicitor’s office may be conned by a fraudulent email or phone call advising them that client account details have changed, or indeed the customer may be deceived into paying a large payment into a criminal account. Sadly, those involved realise too late that they have been victim to ‘Friday afternoon fraud’.

Untargeted attacks

Cyber criminals attack law firms intentionally, yet also and more commonly, indiscriminately. In fact, the majority of cyber attacks are untargeted and use commodity tools to attack large numbers of devices, services and users at the same time in a random way. Most cyber attacks are made up of repeated stages that are probing for further information that can lead to a more targeted attack. These attacks exploit basic weaknesses that can be found in many organisations such as poorly configured firewalls, software that hasn’t been updated and legacy computer systems that are no longer supported. 90% of all cyber attacks starts with a phishing email (a fraudulent email sent by cybercriminals that mimics a legitimate communication from a trusted source). Vishing is the name given to a fraudulent phone call, where someone pretending to be from your bank, a trusted company or service, or even the police will try to trick you into revealing personal or confidential information. These can be part of a wider campaign where fraudsters are gathering information for a larger attack.


In the last couple of years, ransomware has become one of the most popular cyber-attack methods that cybercriminals use to target law firms. A typical ransomware attack begins with a phishing email which usually contains a link and a message designed to encourage the recipient to click the link. Once clicked, the ransomware installs on the computer. Ransomware encrypts an organisation’s files rendering them unaccessible until either a ransom is paid or the organisation reverts to backups to bring the network back online. Recently, it can also often enable the attacker to access the company network so they can sabotage systems and steal information directly by hackers who exploit a vulnerability somewhere in the practice’s network.

Double-extortion ransomware

Many organisations are now prepared and have appropriate backups in place to mitigate a traditional ransomware attack. A double-extortion ransomware attack, however, allows the attacker to increase the likelihood of receiving a ransom payment by threatening to leak stolen data onto the internet. Sensitive and confidential information appearing on social media can clearly be a reputational disaster for any practice.

Distributed denial of service attack

It is not difficult in today’s world to arrange a distributed denial of service attack (DDoS) against someone’s website or online services. A DDoS attack is launched using an army of connected devices (known as a botnet) that are infected with malware in order to allow them to be controlled by a central computer. The attacker can then command the botnet to bombard the website server with a flood of requests which overloads the server until it crashes, taking it out of use.


Law firms who are be linked to politically or environmentally sensitive cases could be the target for hacktivism. This is the act of hacking, or breaking into a computer system, for a politically or socially motivated purpose.

Insider data breaches

An “insider” data beach describes a breach which has been generated by one of your staff. The majority of insider data breaches are accidental and the best way to combat these are through training and robust processes and controls. However, insider data breaches also include employees stealing confidential information from the firm, often in order to leak to competitors, cybercriminals, or taking data to a new job.

How do you protect yourself?

The Cyber Essentials controls will help an organisation defend against most un-targeted attacks. The process of putting in place the five core controls will eliminate all the common security gaps that up to 90% of cyber attacks rely on.

Remember, even targeted attacks, usually start with simple attacks such as a phishing campaign. The National Cyber Security Centre (NCSC) recommends a multi-layered set of mitigations to improve your organisation’s resilience against phishing attacks.

Cyber Essentials focuses on five technical controls that form key elements in the layers that will help mitigate a phishing attack and other un-targeted cyber attacks.

  • Even if a malicious link is clicked, securely configured devices decrease the impact of malware on the wider system or stop malware installing in the first place.
  • Security update management can prevent attackers from using known vulnerabilities. Using supported software and devices and making sure they are kept up to date with the latest software updates, as well as buying software and apps from trusted sources, reduces the opportunities for hackers.
  • Accounts can be made more secure by adding two factor authentication to the log-in processes. This will mean that, even if credentials have been compromised, an attacker cannot gain access. The number of accounts with privileged access should also be limited to the absolute minimum to reduce the potential damage from a cyber attack.
  • People with administrator accounts should not use these accounts to check email or browse the web and this should prevent users accidentally installing malware from phishing emails or malicious websites.
  • To limit any potential issues from former employees, immediately remove or suspend accounts that are no longer being used, It is also good practice to limit or block the use of USB and other portable removable media and devices.
  • One of the largest human-factor risks are staff re-using their passwords on different on-line accounts, especially where they reuse personal passwords on work accounts. When this happens, a breach of any of the accounts where that username-password combination is used can result in access to all accounts. Consider reviewing your password policies, doing so may reduce the likelihood of staff re-using passwords across home and work accounts. Ensure that passwords are changed if it is suspected that one has been compromised.
  • Anti malware software will block most malware from downloading and prevent users accessing insecure websites.

You cannot outsource your cyber risk

If you outsource your IT to a third party provider, the security risk to your network remains your responsibility. Do you know the cyber security status of your IT provider? Never take this for granted as being an IT expert is not the same as understanding cyber security. It is recommended that your IT provider is certified to Cyber Essentials as a minimum. Third party IT providers may look after the networks for numerous businesses and have administrative privileges to all their systems. It is vital that you are reassured of the security measures that your provider has in place to protect you and itself. IASME has created the Cyber Essentials guide to using a third party IT provider to help you manage the responsibility of your cyber security. A comprehensive list of questions is available on the IASME website for you to download or print off and give to your third-party provider. Ask your provider to return the answers and relevant lists to you so that you can check that your organisation meets the Cyber Essentials requirements.

IASME Cyber Assurance is a comprehensive, flexible and affordable cyber security standard that provides assurance that an organisation has put into place a range of important cyber security, privacy and data protection measures. . These include having a risk assessment and a security policy, security awareness training for staff and all the GDPR requirements. IASME Cyber Assurance also covers other important areas such as backing up your data, and having an incident response and business continuity plan.

IASME Cyber Assurance is aligned to a similar set of controls as the international standard, ISO 27001, but is more affordable and achievable for small and medium sized organisations to implement. In recent years, an increasing number of large organisations have started to accept the audited IASME Cyber Assurance ( level 2) certification as an alternative to ISO 27001 for the small companies in their supply chain.

Counter fraud

It is widely recognised that up to 90% of fraud is now cyber enabled, however a great deal of fraud still occurs through interactions with people, whether it be a scam phone call, or a dishonest employee. The Counter Fraud Fundamentals (CFF) scheme was developed by IASME and a team of counter fraud experts. The scheme is an ideal way for any business dealing with financial transactions to prove to their customers and supply chain that they take their responsibility to combat fraud seriously.

The process of working through the CFF self-assessment questions helps a practise identify whether they have adequate counter-fraud measures in place to prevent, detect and respond to fraud. It provides an opportunity to improve. The questions are centred around the company, it’s employees, the responsibilities for reporting fraud, and managing and documenting fraud risk. Counter fraud measures involve awareness, staff training, staff monitoring, and having polices and strategies in place to prevent and detect crime.

The Cyber Security certifications address the technical side of a cyber breach which could be used to commit fraud, whereas, Counter Fraud Fundamentals fully addresses the human element of fraud, the intention to trick or deceive, which can of course, take place against an organisation without a cyber element.