NCSC warns of cyber threats to UK law firms

/in , ,

The United Kingdom National Cyber Security Centre (part of GCHQ) has warned again about the cyber threats to UK law firms. The renewed threat is largely being driven by legal practices adopting hybrid working patterns resulting from the pandemic, with staff increasingly spending more time working from home. More background is available in an article published in The Register on 26th June 2023.

Since law firms by definition handle highly confidential information, and are increasingly dealing with very large sums of cash on behalf of their clients, the opportunity for criminals to interfere with the transfer of information is enormous. In the words of NCSC, law firms are “particularly attractive targets to attackers”.

Cyber threats to UK law firms are not new – Safe4 Information Management was formed in 2010 specifically to allow organisations to exchange information with external parties without compromising the confidentiality of the information in question. Safe4 works with a number of law firms, both large and small, and has provided its secure vault-based service to legal practices across the UK. One of the key elements in the approach adopted by Safe4 is that confidential information is NEVER transferred by email. Invitations and notifications are sent by email, but users have to authenticate themselves with a username, password and optionally 2-factor authentication before any confidential information is made available.

One of the instances where this is most valuable is with the provision of bank details by clients. Using the structured data capabilities of Safe4, clients can be invited to enter their bank details into an online form, which when completed notifies the professional practitioner that the data has been provided. The practitioner, or fee-earner, will then have read-only access to this information after they have carried out the necessary authentication. The bank details can then be used for their intended purpose, and optionally transferred into other internal systems by API.

The Register article makes the point that some of the attackers are nation states, with access to very sophisticated tools. In particular, brute-force attack technologies are being used to penetrate systems by exploiting weak passwords. To mitigate this risk, Safe4 has implemented NCSC recommendations relating to password length and strength.

All of the information held in Safe4 is stored in UK-only data centres accredited to ISO 27001. Safe4 is penetration tested regularly, and is accredited under the UK Cyber Essentials scheme by Government approved organisations under the CHECK protocol.

If you would like more information on how Safe4 can help with the battle against cyber attack, please contact us. We will be delighted to assist.