WIREDGOV

The NCSC's first legal threat report has been issued to law firms.

• NCSC legal sector threat report gives guidance to help firms protect themselves
• £11 million of client money stolen due to cyber crime over the last 12 months
• 60% of law firms reported to have suffered information security incident last year
• The Law Society welcomes practical and effective guidance to protect industry

Law firms have been urged to follow expert cyber security guidance after a report published yesterday (19 July) showed the scale of the threat they face.

The National Cyber Security Centre (NCSC) has published its first report into the cyber threat to the UK legal sector, which reveals that more than £11 million of client money was stolen by cyber criminals between 2016-17.

In the last year, 60% of law firms reported an information security incident - an increase of almost 20% from the previous 12 months.

The report outlines clear and actionable guidance that firms can follow, such as how to defend your practice against phishing, reduce the risk of malware infection and take effective control of your supply chain. 

Ciaran Martin, Chief Executive of the NCSC said:

“Like all businesses, law firms are increasingly reliant on IT and technology and, as a result, are falling victim to a range of malicious cyber activity.

“Losing access to this technology, having funds stolen or suffering a data breach through a cyber attack can be devastating, both financially and reputationally, not only for the firm but also its clients.“

“The NCSC is committed to supporting the legal sector as part of our role to make the UK the safest place to live and do business online and that’s why we feel it’s extremely important to offer the tailored advice and guidance outlined in this report.”

Law firms are an attractive target for cyber attacks as they hold sensitive client information, handle significant funds and are a key enabler in commercial and business transactions. 

Findings show the most significant cyber threats law firms face include phishing, data breaches, ransomware and supply chain compromise.

The Cyber Threat Assessment for the UK Legal Sector was created in collaboration with major law firms working under the NCSC Industry 100 scheme and the Law Society.

Christina Blacklaws, President of The Law Society said:

“As data controllers, law firms handle significant volumes of confidential and sensitive information and client monies as part of their daily work. 

“In the post-GDPR world and as the sector delivers and transacts more online, it’s vital that we get a common view and understanding of cyber threats and their impact.

“The Law Society sees this report as a positive step to help our members spot vulnerabilities and put relevant safeguards and protections in place.” 

To help firms further, the NCSC and industry partners have launched the ‘Legal Sector’ group on the free Cyber Information Sharing Platform (CiSP).

CiSP is a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and dynamic environment, increasing situational awareness and reducing the impact on UK business.

Notes to editors

• The full report can be seen here.
• The report’s estimation that £11 million of client money was reported stolen due to cyber crime between 2016-2017 was made by the Solicitors Regulation Authority (SRA).
• The private ‘Legal Sector’ CiSP group is tailored to the needs of UK law firms, giving a wealth of cyber expertise and advice. Full details on membership benefits and joining instructions can be found at www.ncsc.gov.uk/cisp. The NCSC, Law Society or Bold Legal Group can sponsor your organisation, as appropriate.
• The UK Government is fully committed to defending against cyber threats and address the cyber skills gap to develop and grow talent. The NCSC was created as part of the five year National Cyber Security Strategy (NCSS) announced in 2016, supported by £1.9billion of transformational investment 
• The NCSC provides a single, central body for cyber security at a national level and is the UK’s technical authority on cyber. It manages national cyber security incidents, carries out real-time threat analysis and provides tailored sectoral advice. GCHQ is the parent body for the Centre, meaning that it can draw on the organisation’s world-class skills and sensitive capabilities.
• The UK Government’s behavioural change campaign for cyber security, Cyber Aware, promotes simple measures that small businesses and individuals can adopt to stay more secure online. Cyber Aware’s technical advice is provided by the NCSC. Further information on the campaign can be found here.