UK Cyber Security Agency to Law Firms: You Are Hacking Targets

UK law firms are attractive targets for cyber criminals because of the large sums of money and highly sensitive information they handle, according to the National Cyber Security Centre.

Firms are also vulnerable in more novel ways due to remote or hybrid workplace setups stemming from COVID-19 lockdowns, the agency said in updated guidance published last week. Remote employees are more likely to connect to unsecured, noncorporate routers. Cyber threat tactics have also become more sophisticated, the report said.

The organization is “increasingly seeing ‘hackers-for-hire’ who earn money through commissions to carry out malicious cyber activities for third party clients, often involving the theft of information to gain the upper hand in business dealings or legal disputes,” it said.

Phishing emails to employees is among the top ways hackers attack law firms’ information. The NCSC reported that 79% of all cyber attacks were phishing attempts.

The report recommended maintaining strong company governance to minimize the risk of cyber threats as well as investing in training for all staff members to improve security culture.

The updated guidance is a “timely intervention,” said Lubna Shuja, president of the Law Society serving England and Wales. The initial report was published in 2018.

Last week, Bloomberg Law reported that US firm Bryan Cave Leighton Paisner was hit by a cyberattack that compromised client data.

In April, Proskauer Rose confirmed that its clients’ data, including sensitive financial information, had been exposed to hackers.

Goodwin Procter and Jones Day data was exposed through a breach at tech provider Accellion, now known as Kiteworks, in 2021. The firms acknowledged that the breach had left confidential client data exposed.

The American Bar Association said in 2020 that nearly 30% of U.S. law firms reported a security breach.