Cybercrime Is Rising: Be Prepared - But Don’t Pay Ransoms
Cyber-attacks using ransomware have been in the news more frequently, so it will come as little surprise that it’s a tactic being increasingly used by cyber criminals. However, email remains the target of choice for criminals as it’s an easy target. Law firms and other professional service providers are urged to remain on their guard.
The National Crime Agency (NCA) recently warned that cybercrime is increasing, both in scale and complexity; the Solicitors Regulation Authority (SRA) has reported an increase in ransomware and phishing attacks; and accounting firms have reportedly seen a threefold increase in attacks since the pandemic began.
It’s a painful reality that the legal sector and business community (and other sectors and industries) must accept: criminals are increasingly confident and sophisticated in their methods of attack. Unfortunately, the NCA says more cyberattacks are happening this year in the UK than ever before, highlighting a particularly significant uptick in high-profile ransomware campaigns this past year.
The SRA is also seeing an increase in threat: in its latest Risk Outlook, the solicitors’ regulator received reports of just 18 ransomware attacks but anticipate an increase. The reason for the expected rise is simple: the impact of earlier forms of ransomware was limited to encrypting data without actual breaches (and consequential reporting requirements). More sophisticated forms of ransomware both encrypt data and steal data – usually leading to ransom demands. If your firm is in the unenviable position of being subjected to a ransomware attack, should you pay money to recover often sensitive client data?
No, says the NCA. It has just warned that law firms should not pay ransom demands. Giving in to extortion like this won’t keep data safe; and the Information Commissioner’s Office (ICO) would not consider making a ransom payment as mitigation in any regulatory action. Even so, the SRA believes that file stealing will become a normal part of how ransomware extorts money and will involve both random and intentional attacks.
In the world of technology, email may be a relatively dated method of communication, but it remains a major risk area for firms. At least 80% of reports of cybercrime the SRA received last year involved email – at least half involving phishing and ‘email modification’ frauds.
Third parties attacks are also on the up. The SRA highlights a case where an attack on an IT service provider spread to “numerous” firms of solicitors. Other more sophisticated attacks could increasingly use voice impersonation systems.
Risk mitigation
Cyber-attacks should not be considered an inevitable part of commercial reality, though the threat of an attack must be taken seriously. The SRA encourages having the right culture, systems and training in place. One of the most effective ways to prevent ransomware attacks and other attacks, for example, is to use two-factor authentication system access.
The SRA encourages firms to have “the right culture, systems and training” and offers guidance on working to achieve this. This means working to:
· Create a culture of openness where staff feel able to raise issues, such as having realised that they have clicked on a ‘dodgy’ link (which we’ve all done at some point).
· Implement robust systems and procedures, including focusing on suppliers and third parties, with specialist help from cyber security specialists
· Training lawyers and support staff on their working arrangements and use of the firm’s networks and systems
Prudent firms will also embrace the most up-to-date resources and guidance available from various sources, including:
SRA.org.uk report
The Law Society cybersecurity guidance and support
NCSC support and guidance
If you would like us to cover an issue in the next NGM Tax Law Newsletter, we would be pleased to hear from you