As we move into 2022 the online digitised way of working is set to continue, and this will mean that businesses continue to be vulnerable to the threat from attacks from cyber criminals seeking to take advantage of the online nature of our lives.
At our Annual Legal Services Risk Management Conference held in November 2021, attendees voted that the biggest risk facing their businesses was cyber security risk and the Solicitors Regulation Authority (SRA) frequently warns of the dangers of cyber crime facing law firms and their clients.
the reported number of data security incidents had increased to 207 from the previous quarter of 1982.
The latest data breach statistics published by the Information Commissioner’s Office (ICO) for the second quarter of 2021/2022, covering the period of 1 July 2021 to 30 September 20211, confirmed that the reported number of data security incidents had increased to 207 from the previous quarter of 1982. It is worthy of note that the lockdown restrictions were fully lifted on 21 June 2021 and the statistics for the next quarter will be released after 31 January 2022.
The ICO categorises the data breaches into ‘non cyber security incidents’ and ‘cyber security incidents’.
a result of data being emailed or posted to the incorrect recipient and equated to 46% of the total breaches reported
The most common causes of a non cyber security incident reported to the ICO by the legal sector covering the period 1 July 2021 to 30 September 2021, were as a result of data being emailed or posted to the incorrect recipient and equated to 46% of the total breaches reported. Breaches of this nature occur as a result of human error often due to individuals working under extreme pressure either from clients or tight timescales and arise owing to a lack of attention to detail.
The table below sets out the data showing the top two most common causes of non cyber security breaches reported for the legal sector to the ICO for Q1 of 2021/2022 and Q2 of 2021/2022.
Q1: 1 April 2021 to 30 June 2021 | Q2: 1 July 2021 to 30 September 2021 | |
---|---|---|
Data emailed to incorrect recipient | 49 out of 198 | 72 out of 207 |
Data posted/faxed to incorrect recipient | 28 out of 198 | 24 out of 207 |
The number of cyber security incidents reported to the ICO covering the period 1 July 2021 to 30 September 2021 were considerably lower equating to 27% of the total breaches reported by the legal sector to the ICO, with phishing attacks (56%) being the most common cause closely followed by ransomware attacks (31%).
The table below sets out the data showing the top two most common causes of cyber security breaches during Q1 of 2021/2022 compared to Q2:
Q1: 1 April 2021 to 30 June 2021 | Q2: 1 July 2021 to 30 September 2021 | |
---|---|---|
Phishing attacks | 37 out of 198 | 31 out of 207 |
Ransomware attacks | 15 out of 198 | 17 out of 207 |
Cyber crime continues to grow and evolve and has featured as a priority risk in the SRA’s Risk Outlook reports for many years. The National Cyber Security Centre (NCSC) published its annual review on 17 November 20213 which identified ransomware as the most significant cyber threat facing all businesses in the UK, not just law firms. The report identified that during the first four months of 2021 the NCSC handled the same amount of ransomware incidents for the whole of 2020 and was “three times greater than in 2019”.
The NCSC is urging businesses to sign up for its early warning scheme, which is a free service from the NCSC designed to warn organisations about potential cyber attacks on their networks, as soon as possible4. It has also issued guidance about how to create a ‘cyber incident response exercise’5.
Businesses need to detect and respond quickly and effectively to cyber breaches as doing so reduces any financial, operational and reputational damage such incidents can cause. Running cyber security incident exercises can also assist firms establish their resilience to a cyber attack. Such exercises allows firms to respond in a safe environment, at the same time as creating a culture of education and awareness and identifying areas of vulnerability which may require further investment or resources.
If you do experience a ransomware attack, the guidance from the NCSC and law enforcement agencies is that they do not “encourage, endorse, nor condone the payment of ransom demands”6. There is no guarantee that you will be able to access the data if you do pay the ransom as your systems may still be infected. Furthermore, you will be putting yourself at risk of being targeted again as criminal groups will know that you are willing to pay the ransom.
Cyber security risk should form part of a business’ operational resilience strategy which will help identiy, understand and manage any cyber related vulnerabilities to the business. Taking the following actions can help you prepare your organisation from potential ransomware attacks:-
Operating a cyber secure culture throughout the law firm and ensuring everyone receives the necessary education and training will help protect against these vulnerabilities and minimise the risk of cyber security incidents from arising.
1 Information Commissioner’s Office (n.d). Data security incident trends. What action we’ve taken in Q2 2021/22 and what you can do to stay secure. Retrieved from: https://ico.org.uk/action-weve-taken/data-security-incident-trends/
2 Information Commissioner’s Office (n.d). Previous reports. Retrieved from: https://ico.org.uk/action-weve-taken/data-security-incident-trends/previous-reports/
3 National Cyber Security Centre. (2021). NCSC Annual Review 2021. Making the UK the safest place to live and work online. Retrieved from: https://www.ncsc.gov.uk/collection/ncsc-annual-review-2021
4 National Cyber Security Centre. (May, 11, 2021). Early Warning. Retrieved from: https://www.ncsc.gov.uk/information/early-warning-service
5 National Cyber Security Centre. (February,7, 2021). Effective steps to cyber exercise creation. Retrieved from: https://www.ncsc.gov.uk/guidance/effective-steps-to-cyber-exercise-creation
6 National Cyber Security Centre. (September, 9, 2021). Mitigating malware and ransomware attacks. How to defend organisations against malware or ransomware attacks. Retrieved from: https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks