Cyber security watchdog issues law firm warning
The National Cyber Security Centre (NCSC), part of GCHQ, yesterday published its first report on the growing cyber threat to the legal profession.
It said that while the primary threat stemmed from cyber criminals with a financial motive, “nation states are likely to play an increasingly significant role in cyber attacks at a global level, to gain strategic and economic advantage.
“There has also been some growth in the hacktivist community targeting law firms to achieve political, economic or ideological ends.”
The NCSC said that, according to Action Fraud, in the two years to March 2018, 18 law firms reported hacking attempts.
“Such attacks tend to be more targeted in nature and are most likely initiated by phishing. They are often the work of more sophisticated cyber actors such as organised crime groups and nation states.”
The NCSC said the most significant cyber threats facing law firms were phishing, data breaches, ransomware, and supply chain compromise.
The report spells out the dangers and steps firms can take to combat them.
On phishing, it said the Solicitors Regulation Authority has publicised 110 scams against law firms so far in 2018, but “there are likely to be many more that go unreported”.
It gave the case study of a “mid-sized law firm with a multi-million pound turnover”, where a senior partner broadcast on social media full details about a business trip to Barcelona.
A criminal gang based overseas used this information to initiate a phishing attack against the firm’s accounts team. An accounts clerk received an email from an account spoofing the senior partner’s email address, instructing her to pay an invoice and imploring confidentiality.
Even though the firm had in place a number of policies and procedures that systemised the payment of invoices, they were able to persuade the accounts team to bend the rules, under the pretext of urgency, confidentiality and seniority.
The criminals also knew that the accounts team were tied up in installing a new accounting package and training on the new system, as a staff member had mentioned it on Facebook. It was at this time that the criminals convinced the clerk to make an authorised payment of £35,000.
The section on ransomware referenced the global attack last year on DLA Piper that caused significant business disruption for a number of weeks and is to date the single biggest cyber attack to ever hit any law firm.
The attack utilised a new variant of the Petya malware (NotPetya) via the software update mechanism of M.E. Doc, a Ukrainian tax program that had been compromised to spread the malware.
The report said the attack appeared to be a ransomware attack; it was later identified as a destructive variant so that the data was encrypted.
DLA Piper was running around 800 applications at the time and went through a process afterwards of building them back up. “Since the attack, the firm has been running a number of programs to enhance security and business resilience.”
Looking to cyber security trends, the report noted the increasing use of artificial intelligence (AI) systems among the large law firms, saying: “AI may help with thwarting future attacks, although may also be used maliciously, for example, to fool AI fraud checks or craft high-quality phishing emails.”
NCSC chief executive Ciaran Martin said: “Like all businesses, law firms are increasingly reliant on IT and technology and, as a result, are falling victim to a range of malicious cyber activity.
“Losing access to this technology, having funds stolen or suffering a data breach through a cyber attack can be devastating, both financially and reputationally, not only for the firm but also its clients.
“The NCSC is committed to supporting the legal sector as part of our role to make the UK the safest place to live and do business online and that’s why we feel it’s extremely important to offer the tailored advice and guidance outlined in this report.”
The report was created in collaboration with major law firms working under the NCSC Industry 100 scheme and the Law Society.
Law Society president Christina Blacklaws said: “In the post-GDPR world and as the sector delivers and transacts more online, it’s vital that we get a common view and understanding of cyber threats and their impact.
“The Law Society sees this report as a positive step to help our members spot vulnerabilities and put relevant safeguards and protections in place.”
To help firms further, the NCSC and industry partners have also launched a legal sector group on the free Cyber Information Sharing Platform.
Source: legalfutures
Latest Jobs
-
- VOIP / SIP App Developer. Contract. SIP | VOIP experience needed. SC Cleared Outside IR35 Contract. London
- London
- OUTSIDE IR35
-
SIP | VOIP Developer. SC Cleared Contract. London Looking for a SC Cleared SIP / VOIP Developer to develop an application that interacts with a set of voice and video signalling API’s You will also work on developing in-house applications, browser plugins and automated tooling to support secure communication systems. Responsibilities Develop an application that will manage number mapping and associated identities using commercial SBC API’s. Develop new user-facing features using React.js or other modern JavaScript frameworks. Build reusable components and front-end libraries for future use. Collaborate with the design team to translate UI/UX design wireframes into code. Work closely with backend developers to integrate front-end code with server-side logic. Conduct code reviews and provide constructive feedback to team members. Stay up-to-date on emerging technologies and industry trends to continuously improve our front-end development practices. Troubleshoot and debug issues that arise during development and in production environments. Maintain high coding standards and practices and ensure code is well-documented. Requirement Experience of developing specialist applications using REST API’s. Good knowledge of Go, Java and Python (open to alternative combinations of languages). Proficiency in front-end languages and frameworks such as HTML, CSS, JavaScript, React.js, etc. Strong understanding of web standards, responsive design, and cross-browser compatibility. Experience with version control systems such as Git. Knowledge of RESTful APIs and asynchronous request handling. Familiarity with UI/UX design principles and tools.
-
- Senior Data Privacy Consultant. Client Facing | London
- London
- N/A
-
Senior Data Privacy Consultant. Client Facing | London Senior Data Privacy Consultant needed for a key client facing opportunity. Must be willing to undergo SC Security Clearance. Hybrid role- onsite with customer / office 2-3 days a week. London Key Responsibilities: Lead and support client facing data privacy projects. Assess compliance, define and deliver strategic projects / implement privacy solutions. Manage project teams and develop business opportunities. Required Experience: Experience in data protection and privacy standards. Background in consulting. Skills and Qualifications: Business consulting experience IAPP Privacy Manager / Privacy Technologist Location Greater London UK based role. Not able to provide VISA sponsorship.
-
- Security Analyst - Internal role. London commutable. Permanent
- London
- N/A
-
Security Analyst - Internal role. London commutable opportunity. Operational Security - Investigate, escalate and proactively work to ensure household name remains protected. Project Security - Coordinate, log change requests with project delivery teams to meet security requirements Policy / compliance - work with team to aid in uplifting these as and where needed This role is role to investigate, escalate and proactively work to protect a globally recognised brand. You must have current hands on operational analytical security experience with Microsoft technology stack Someone with a SOC Analyst / security engineering background would be well suited. This position will join a small team and would suit someone that has broad experience across the security threat landscape. Experience / knowledge across industry GRC standards such NIST, ISO27001 etc very advantageous and a priority. You will work across multiple teams proactively working to secure the business. Must be able to commute to Central London 3 days a week. Visa sponsorship not available Apply today to find out more.
-
- Network / Security Infrastructure Engineer | West London | Permanent
- London
- N/A
-
Network / Security Infrastructure Engineer | West London | Current Config, Install, upgrade experience On prem / Datacetner experience essential. Hands on experience MUST include: Routing, Switching, Network Security (firewall, IDS etc), Microsoft exchange / Exchange 365. Scripting / automation experience wanted. Python, Powershell etc Regular travel to West London is required. Visa sponsorship not available. Apply today for more information chris.holt@dclsearch.com Use this whatapp link to reach out https://wa.me/message/6USF5RAQBOZIP1