Guardians of Justice: Navigating the Cyber Storm Threatening UK Law Firms

A devastating storm of cyber attacks is raining down on the British law industry. Considering its over 230,000 solicitors and legal executives handling delicate data on client mergers, acquisitions, and general legal proceedings, these attacks have a distinctly devastating impact on the UK legal field.

In a recent review, the Solicitors Regulation Authority (SRA) identified that, since 2020, cyber attacks had targeted 75% of law firms, resulting in a devastating loss in 23 out of 30 businesses, having lost more than £4 million. In this blog, Thrive sheds light on the magnitude of this destruction and guides you in effectively safeguarding your sensitive client information against such attacks.

Rising Threat: UK Law Firms Face Surge in Data Breaches Amid Shift to Remote Work

Data breaches are not a new threat for law firms, but they are exploding in prevalence. According to the Equality & Human Rights Commission (CRC), 73 of the UK’s top 100 British law enterprises have been targeted, rising from 45% in 2018-19 to 73% in the most recent financial year.

A substantial shift in the work/life balance in the UK prompted by the Covid-19 pandemic has been the critical factor to this trend. The pandemic forced over 60% of companies to transition to Cloud-based work, a trend that has continued into the post-Covid era. As a result, storing more client information online makes law firms extremely attractive online targets.

UK Law Firms Face 4,000 Daily Cyber Attacks, Costs Surge

90% of the top UK law firms have personally experienced this threat – 55% of which faced viruses and other malware, and 16% of which faced extreme attempts to hack into their company’s network. To put this into context, over 4,000 cyber attacks are launched every day. This equals 170 every hour and almost three every minute. Law firms must protect themselves and their clients against this vastly underestimated but dangerous threat.

The shift to remote online working has also impacted the costs of such a breach. Attacks that previously cost companies £2.8 million now cost £3.57 million due to the sheer quantity of online client data. The overall rise in data breach costs is 10%, with the average weighing around £3.05 million.

These numbers refer to the larger law firms, but what about SMEs in the legal sector?

Cyber Attacks Costing Unprepared Firms an Average of £150,000

SMEs are equally exposed to cyber attacks, as they’re perceived as easier targets by hackers who assume they do not have the measures to handle them. Small or medium law businesses could unwittingly be exposed to these well-orchestrated attacks simply because they are unaware of the costs that other law firms are facing.

The average data breach cost for businesses of this size is £310,000. Still, if the company is unprepared, it can cost additional billable hours to seek help from experts to investigate the cyber breach, notify victims, and take extra preventive measures to avoid future attacks. The SRA has shown that this number can reach around £150,000 for unprepared firms.

Although becoming steadily less commonplace, many SMEs have minimal pre-emptive measures to deal with such an attack. Typical law firm cyber attacks have previously been initiated through an item of hardware with old, unpatched software on it. This is the ‘open window’ that allows attackers to gain entry to systems. The impact on other companies in the field has seen the entirety of a firm’s data locked, resulting in a hefty ransom demand to allow the company to continue working.

These real-life examples of legal businesses did not have an adequate cyber incident response plan in place, which resulted in the companies ultimately floundering and seeking urgent help from their IT support teams and local police. Some situations were so dire that paying the ransom seemed the only option. This cements the need for a standalone cyber insurance policy, disaster recovery plan and employee cyber awareness training.

Magic Circle Attack

A recent case of this occurring is that of London-based Allen & Overy, the latest major ‘magic circle’ corporation attacked by ransomware hackers. They announced this incident following posts on X (formerly Twitter), claiming hacker group Lockbit had targeted the prominent firm, threatening to publicise sensitive files.

Lockbit is a hacking group notorious for locking access to government and corporate networks and demanding payment in return for not publishing private data and correspondence, such as the high-profile Royal Mail hack in January we previously blogged on – blocking its access to data until payment. Thankfully, Allen & Overy had a technical response team in place and an independent cyber security adviser on standby to aid in the containment and isolation of the attack. This resulted in minimal affected client data, not impacting their email or document managing system – all thanks to the preventive measures they had taken.

In another similar case, Gateley, a UK Top 50 firm whose cyber team quickly identified an intrusion and acted immediately, securing all systems. The firm did state that it was confident that its IT support had successfully limited the impact of the cyber attack and did not foresee any evidence of a material effect on the company’s financial performance, with just 0.2% of its data affected.

NCSC Best Practices for Cybersecurity

Published advice from the NCSC is that companies should ensure they back up important data regularly and use offline storage facilities, which render a degree of protection against ransomware and other cyber threats. Multifactor authentication is, as ever, recommended, as well as ensuring the least privileged access to safeguard against potential attacks.

However, to ensure that the best measures are put in place for your business, a thorough risk assessment should be performed – identifying weak points in your business and prioritising cybersecurity investments. Employees should be comprehensively versed on your firm’s threats and the best action when dealing with them.

Best practice includes enforcing user access controls and ensuring that businesses and their employees have strong password policies, significantly minimising the risk of unauthorised access. A significant risk to SMEs that fail to safeguard their clients’ data in these ways is that of legal challenge – with consequences ranging from client lawsuits to fines from the ICO.

If this blog has caused you to reflect upon the readiness of your firm when tackling this genuine threat, don’t hesitate to contact Thrive.

We are highly experienced in working alongside SMEs in your sector to reach absolute security in the face of data breaches and similar recent threats. We can help you guarantee your business’s and its employees’ safety by staying ready against these ever-growing risks.