(4 min read)
In August 2020, law firm Tuckers Solicitors were victim to what they called ‘a significant cyber attack’.
The attack compromised the server where archived data was held, and some data was removed from the system. Later in the year, the firm confirmed that the data of around 60 clients had been uploaded to the criminals’ website on the dark web.
Earlier this year, Tuckers Solicitors was fined £98,000 by the Information Commissioner’s Office (ICO), who found that files relating to both criminal and civil cases were posted on underground marketplaces and data included medical files and private information – some relating to extremely serious cases.
The ICO ruled that Tuckers had failed to implement appropriate technical and organisation measures over some or all of the relevant period, and that failure had made it vulnerable to attack. Tuckers had not encrypted the data on its archived server and, critically, had not implemented multi-factor authentication for remote access to its systems. It said that oversight meant that access could have been through a single user name and password.
This is not an isolated incident. Cyber criminals will hack any organisation – including law firms – to either steal data to sell on, or to try and extort cash from unsuspecting victims. Some simple and affordable steps – including much better staff training – could have either prevented the attack altogether or significantly reduced its impact.
Hackers don’t care about your business
It’s that simple. There are a number of clear risks to legal firms from cyber attacks, any one of which could be catastrophic. Legal firms operate on the basis of confidentiality and trust, and if a hacker gets into your system and either steals your data or ransoms it back to you, your clients will lose trust in you, you’ll probably face a hefty regulatory fine and your reputation will be in tatters.
This might all sound apocalyptic – and that’s because it’s a real risk. Hackers don’t care about your business. Criminals don’t care about your reputation. Professional cyber attackers don’t care about your fines. They are just looking for an easy way into your business so they can steal the information that has the most value.
Why bother with cyber security?
As Tuckers Solicitors discovered, a cyber attack can devastate your practice. There are serious consequences to failing to protect yourself against attack, and if you haven’t got a plan in place the mitigate them, you are putting your firm, your people and your clients at risk. They include:
- Financial and identity theft
- Complete loss of data
- Loss of clients and reputation
- Regulatory penalties and fines
- Class action compensation claims
Unless you want to sit in front of your regulator to explain how a criminal could have got into your data and exploited it for financial gain, it’s time to take cyber security seriously. By that, we mean looking at the ways that an attack can occur and putting mitigation in place to reduce that risk.
It starts with your people
At least 90% of successful cyber attacks are down to human error. Weak passwords, dodgy attachments and malicious links tend to be the most common ways for criminals to gain access to your systems.
That’s why training your people is key. And it’s also why a half-day seminar simply isn’t enough. You need to change people’s behaviours, and that only happens over time. We’ve deliberately developed our training to be delivered online in bite-sized episodes of less than 10 minutes. So no massive loss of billing time and no disruption to case work. Just self-served, ongoing, behaviour-changing cyber training that can help protect your firm from the most obvious forms of attack.
To find out more, contact us to talk about a free trial today.
Sign up below to get our monthly newsletter, packed with hints and tips on how to stay cyber safe.