Skip to main content
main content, press tab to continue
Article

Cyber security threats for 2022

By Dr. Joanne Cracknell | February 1, 2022

With digitised ways of working set to continue for 2022, it’s crucial to understand potential cyber threats and how to deal with them.
|Financial, Executive and Professional Risks (FINEX)
Legal PI Risk Management

As we move into 2022 the online digitised way of working is set to continue, and this will mean that businesses continue to be vulnerable to the threat from attacks from cyber criminals seeking to take advantage of the online nature of our lives.

At our Annual Legal Services Risk Management Conference held in November 2021, attendees voted that the biggest risk facing their businesses was cyber security risk and the Solicitors Regulation Authority (SRA) frequently warns of the dangers of cyber crime facing law firms and their clients.

Data Security Incidents

the reported number of data security incidents had increased to 207 from the previous quarter of 1982.

The latest data breach statistics published by the Information Commissioner’s Office (ICO) for the second quarter of 2021/2022, covering the period of 1 July 2021 to 30 September 20211, confirmed that the reported number of data security incidents had increased to 207 from the previous quarter of 1982. It is worthy of note that the lockdown restrictions were fully lifted on 21 June 2021 and the statistics for the next quarter will be released after 31 January 2022.

The ICO categorises the data breaches into ‘non cyber security incidents’ and ‘cyber security incidents’.

  • Non cyber security incidents: occur as a result of human error and includes data being emailed, posted or faxed to the wrong recipient, failure to redact and the loss or theft of paperwork or data left in an insecure location.
  • Cyber security incidents: which occur as a result of a cyber attack and include ransomware, phishing, malware attacks and unauthorised access.

Most common non cyber security incidents reported

a result of data being emailed or posted to the incorrect recipient and equated to 46% of the total breaches reported

The most common causes of a non cyber security incident reported to the ICO by the legal sector covering the period 1 July 2021 to 30 September 2021, were as a result of data being emailed or posted to the incorrect recipient and equated to 46% of the total breaches reported. Breaches of this nature occur as a result of human error often due to individuals working under extreme pressure either from clients or tight timescales and arise owing to a lack of attention to detail.

The table below sets out the data showing the top two most common causes of non cyber security breaches reported for the legal sector to the ICO for Q1 of 2021/2022 and Q2 of 2021/2022.

Comparison of common non cyber security breaches and their causes, in the legal sector
Non cyber security breaches reported for the legal sector to the ICO for Q1 of 2021/2022 and Q2 of 2021/2022.
Q1: 1 April 2021 to 30 June 2021 Q2: 1 July 2021 to 30 September 2021
Data emailed to incorrect recipient 49 out of 198 72 out of 207
Data posted/faxed to incorrect recipient 28 out of 198 24 out of 207

Most common cyber security incidents reported

The number of cyber security incidents reported to the ICO covering the period 1 July 2021 to 30 September 2021 were considerably lower equating to 27% of the total breaches reported by the legal sector to the ICO, with phishing attacks (56%) being the most common cause closely followed by ransomware attacks (31%).

The table below sets out the data showing the top two most common causes of cyber security breaches during Q1 of 2021/2022 compared to Q2:

Comparison of the top two cyber security breach causes
This table shows and compares the top two most common causes of cyber security breaches during Q1 and Q2 (2021/2022).
Q1: 1 April 2021 to 30 June 2021 Q2: 1 July 2021 to 30 September 2021
Phishing attacks 37 out of 198 31 out of 207
Ransomware attacks 15 out of 198 17 out of 207

Cyber crime continues to grow and evolve and has featured as a priority risk in the SRA’s Risk Outlook reports for many years. The National Cyber Security Centre (NCSC) published its annual review on 17 November 20213 which identified ransomware as the most significant cyber threat facing all businesses in the UK, not just law firms. The report identified that during the first four months of 2021 the NCSC handled the same amount of ransomware incidents for the whole of 2020 and was “three times greater than in 2019”.

The NCSC is urging businesses to sign up for its early warning scheme, which is a free service from the NCSC designed to warn organisations about potential cyber attacks on their networks, as soon as possible4. It has also issued guidance about how to create a ‘cyber incident response exercise’5.

Businesses need to detect and respond quickly and effectively to cyber breaches as doing so reduces any financial, operational and reputational damage such incidents can cause. Running cyber security incident exercises can also assist firms establish their resilience to a cyber attack. Such exercises allows firms to respond in a safe environment, at the same time as creating a culture of education and awareness and identifying areas of vulnerability which may require further investment or resources.

To pay or not to pay the ransom?

If you do experience a ransomware attack, the guidance from the NCSC and law enforcement agencies is that they do not “encourage, endorse, nor condone the payment of ransom demands”6. There is no guarantee that you will be able to access the data if you do pay the ransom as your systems may still be infected. Furthermore, you will be putting yourself at risk of being targeted again as criminal groups will know that you are willing to pay the ransom.

Conclusion

Cyber security risk should form part of a business’ operational resilience strategy which will help identiy, understand and manage any cyber related vulnerabilities to the business. Taking the following actions can help you prepare your organisation from potential ransomware attacks:-

Carry out regular backups
Prevent malware from being delivered and spreading to devices
Prevent malware from running on devices
Prepare for an incident

Operating a cyber secure culture throughout the law firm and ensuring everyone receives the necessary education and training will help protect against these vulnerabilities and minimise the risk of cyber security incidents from arising.

Footnotes

1 Information Commissioner’s Office (n.d). Data security incident trends. What action we’ve taken in Q2 2021/22 and what you can do to stay secure. Retrieved from: https://ico.org.uk/action-weve-taken/data-security-incident-trends/

2 Information Commissioner’s Office (n.d). Previous reports. Retrieved from: https://ico.org.uk/action-weve-taken/data-security-incident-trends/previous-reports/

3 National Cyber Security Centre. (2021). NCSC Annual Review 2021. Making the UK the safest place to live and work online. Retrieved from: https://www.ncsc.gov.uk/collection/ncsc-annual-review-2021

4 National Cyber Security Centre. (May, 11, 2021). Early Warning. Retrieved from: https://www.ncsc.gov.uk/information/early-warning-service

5 National Cyber Security Centre. (February,7, 2021). Effective steps to cyber exercise creation. Retrieved from: https://www.ncsc.gov.uk/guidance/effective-steps-to-cyber-exercise-creation

6 National Cyber Security Centre. (September, 9, 2021). Mitigating malware and ransomware attacks. How to defend organisations against malware or ransomware attacks. Retrieved from: https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks

Author


Director - PI FINEX Legal Services

Article

Risk Management Matters Winter 2022

This article is apart of our 2022 edition of Risk Management Matters: Winter edition. You may access the full document here.

Contact us