80 UK conveyancing firms were affected by a cyber attack on IT provider, CTS, in December 2023. Hundreds of property transactions couldn’t be completed and it was a stark reminder of the importance of keeping cyber security up to date.
It’s tempting to believe that local Tunbridge Wells businesses won’t be targeted, but it’s not true. Hackers are increasingly targeting SMEs looking for digital vulnerabilities and solicitors, who deal with sensitive data and high-value financial transactions, are a prime target.
The risks for law firms in Tunbridge Wells
Tunbridge Wells has a large number of well-established and well-respected solicitor’s firms. This may even make the town a more obvious target for cyber criminals hoping to score an easy hit.
Even small solicitor’s firms tend to hold high volumes of funds in their accounts, making them an attractive target for cyber criminals.
Typically, these are the kinds of cyber attacks aimed at legal firms:
- phishing
- ransomware
- email modification fraud
Phishing
Spoof emails are sent that encourage the recipient to download malicious software (ransomware or malware) or to share their log in credentials. The user is manipulated into either downloading a file or clicking a link that takes them to a spoof log-in page, where they enter their details.
In each case, the objective is to capture log-in credentials for your company’s IT systems (email passwords, file storage systems, CRM system, client account details) so that attackers can steal sensitive information like case files, contracts or financial details.
Some phishing emails are easily spotted as fakes, but far more subtle attempts are on the rise for targeting businesses. A fake email address with a zero in place of the letter ‘O’, for example, is very difficult to spot, especially in a busy workday.
Ransomware
Once an employee has unintentionally downloaded malicious software, this gives it access to your IT infrastructure. Any parts of your system that employee can access are vulnerable. The worst case scenario is for the ransomware to hijack your systems and lock the entire company out of its own file storage and email.
The goal of a ransom attack is to blackmail your company into paying for the release of your data. As with phishing attempts, attackers find their way in by tricking employees so they believe they are responding to a legitimate request from a colleague or other respected authority like a client, a supplier or a bank representative.
Email modification fraud
This is a highly targeted type of cyber attack where the hackers send instructions, purporting to be from a client or a supplier, that modify previous instructions from that client or supplier. This will usually request a change in payment details, diverting funds to the attackers.
While it’s true that a legal firm will have a protocol for checking any changes to instructions, the Solicitors Regulation Authority (SRA) shares that there are still examples of firms being caught out. In 2020, email modification fraud accounted for 68% of all reports of cyber incidents received by the SRA.
6 ways for Law Firms to improve Data Security
1. Data mapping and security review
If you’re uncertain about your current level of risk, we advise starting with an audit. Firstly, map all the ways and locations you store data and all the ways it is transferred to moved.
This includes:
- Where files are stored, on all devices across the firm and cloud storage.
- How this data is encrypted while in storage.
- Your email system, including the security of data sent by email.
- How data is encrypted while it is transferred.
- How and when data is backed up, so it can be easily recovered.
To do this thoroughly is a big task and should be carried out at regular intervals. A trusted, local IT company can take care of this and give you the peace of mind you won’t miss anything. At Heliocentrix we offer Security and Productivity audits for Microsoft 365 to take this off your plate.
2. Proper device management
Just one unsecured device creates vulnerability for your whole organisation, and we now use many devices in many different locations.
Your employees will have a laptop and a smart phone, they may have a desktop computer at your Tunbridge Wells office, will sometimes be working at the court and they may use other devices at home. They all need appropriate levels of security and this is sometimes referred to as endpoint security.
As with most cyber security, there is a technical component and a human component. You need robust systems in place that protect your digital data so only those who are authorised can access it. It’s also critical your employees are vigilant about setting strong passwords and not sharing log-in data.
3. User access controls and multifactor authentication (MFA)
Protection of client data is regulated in various ways by the SRA Code of Conduct (Solicitors Regulatory Authority), GDPR and Lexel (Law Society quality mark). Whatever systems you use for file storage, case management, email and other communication between colleagues, they must be set up with appropriate access controls that comply with the requirements and limit access to the relevant employees.
Multifactor authentication is now essential to verify the person attempting to log-in is the authorised account holder, providing another level of protection even if log-in data falls into the wrong hands.
The expertise of a local, Tunbridge Wells-based IT firm, with experience in setting up legal IT systems can be invaluable. By understanding the regulatory environment, as well as the IT capability, they can quickly and efficiently find solutions for your specific needs.
4. Email security and anti-phishing
Phishing attempts are the most common form of cyber attack towards smaller businesses, so it makes sense for Tunbridge Wells businesses to invest in appropriate defences.
As mentioned under point 2, above, this depends on robust technical infrastructure alongside raising awareness among employees. A robust email platform, like Microsoft 365, will include enterprise level encryption and email filters that block suspicious emails.
This won’t catch everything though, as hackers are continually evolving their techniques. Training for your employees is essential so they can spot suspicious messages and avoid falling victim.
A good, local IT provider will be able to provide both technical support and training, including phishing simulations, so you don’t have to worry about gaps in your cyber security.
5. Awareness and training for all staff
The importance of staff training in cyber awareness cannot be overestimated. The biggest vulnerability for all businesses, whether large or small, is it staff. Cyber attackers are well aware of this and will usually direct their efforts towards your employees, as it’s usually the easiest way in.
At Heliocentrix, we consult with our clients about both the technical requirements and the training requirements. Our Cyber Awareness Training ensures your people are fully aware of the risks and their part in mitigating them.
6. Be proactive
The most effective way to deal with cyber attacks is to take a proactive approach. Security audits, a robust back up process, ensuring the latest software is in place and regular training for staff all serve to highlight security risks and stop them becoming a serious data breach.
At Heliocentrix, we know that as a busy legal firm in a thriving town like Tunbridge Wells your leadership team don’t have the time or the expertise to take on everything themselves.
That’s why we love the work we do: equipping you with the data security you need so you can keep providing your clients with the highest levels of service and confidentiality.
Support from your friendly, local IT expert
We start with a security audit and will then advise and implement on systems and training. Talk to our team about our wide ranging IT Support in Tunbridge Wells.