Law firms report 50% increase in cyber-attacks in the past year

According to research published this week three firms out of every ten have been subject to a cyber-attack in the past 12 months, while 38% of the country’s top 20 firms have been the target of an attack.

However, the scale of the problem may be even worse as it is thought many attacks go unreported.

The data was drawn from a survey of 107 practices in September and October, conducted by Amárach Research for an annual survey of law firms published by accountancy and consulting firm Smith & Williamson.

The names of the firms who took part in the research have not been disclosed, but researchers did confirm the research consisted of 13 of the top 20 firms in the country, 17 mid-tier firms and 77 small firms.

Over half of the security breaches reported were caused by malware, while 35% involved ransomware, where hackers (take control of and) block access to computer systems until a sum of money is paid. The report said cybercrime was on the rise and one of the biggest emerging threats facing the legal profession.

It described cybercrime as “a clear and present threat to legal practices in Ireland”, warning attacks will occur more frequently. While data on losses by Irish firms has not been disclosed, the report said British professional indemnity insurer QBE had reported around €99m was stolen from client accounts in the previous 18 months in the UK.

Four out of ten Irish firms who were subjected to a cyber-attack suffered “down time” as a result. Smaller firms appeared to be more vulnerable to attacks than larger ones.

Among the top 20 firms, they reported that despite being more likely to be attacked, they had invested in cyber security to the extent where to date such attacks were having little or no impact on their operations. The Smith & Williamson report said firms needed to be cognisant of the risks of having lax security controls or untrained staff.

It said analysing risks requires a review of outsourcing and contractors as well as evaluating the benefits of a cyber insurance policy.

“Law firms present a particularly attractive target for cyber criminals. Firms hold sensitive and potentially valuable data about individuals and corporates and may have significant client account balances on hand,” the report said.

Losing client data or funds or having sensitive and confidential information exposed may be the most frightening outcome for a law firm resulting from a cyber-attack. Earlier this year it was reported that law firms were the targets of espionage by hackers who tried to obtain merger and acquisition details in order to facilitate insider trading. “Firms acting in this area are likely to remain at risk from both cyber criminals and nation state attacks.”

Simon Loughran head of Information Security for Certification Europe said that this report clearly highlights the dangers of cyber-attacks in Ireland. This trend of attacks can be seen industry wide and needs to be addressed plus with EU GDPR coming into effect, organisations in the legal sector need to be compliant and protected against future and more sophisticated attacks. For this reason, organisations have turned to the ISO 270001 standard to develop a robust information security framework to tackle cyber-attacks and be compliant to European regulations. The Cyber Essentials certification, developed as an industry standard in the UK, which specifically focuses on a determined set of IT Security controls has also been utilised as an additional framework to complement the overall Information and Cyber Security roadmap.


Related ISO Certifications

ISO 9001

Quality Management System

Quality Management System ISO 9001 is an internationally recognised global standard that confirms an …

ISO 14001

Environmental Management System

ISO 14001 Environmental Management System ISO 14001 is the global standard for organisations wanting …

ISO 45001

Occupational Health and Safety

Occupational Health and Safety ISO 45001 is an international standard that specifies requirements for …

ISO 50001

Energy Management System

Energy Management Systems ISO 50001 is a global standard for organisations looking to improve …

ISO 27001

Information Security Management Systems

Information Security Management Systems ISO 27001 is the international standard for managing risks related …

ISO 22301

Business Continuity Management Systems

Business Continuity Management Systems ISO 22301 is the business continuity management system (BCMS) standard. …

ISO 20000-1

IT Service Management Systems

IT Service Management Systems ISO 20000-1 is the international standard for quality management specifically …

ISO 13485

Medical Devices

Medical Devices ISO 13485 is a globally recognised quality standard that identifies the requirements …

ISO 27701

Privacy Information Management Systems

Privacy Information Management Systems ISO 27701 is the global standard for Privacy Information Management …

BS 10012

Personal Information Management System

Personal Information Management System BS 10012 provides a framework for a Personal Information Management …

ISO 27018

Protection of Personally Identifiable Information (PII)

Protection of Personally Identifiable Information (PII) ISO 27018 is the global standard organisations use …

ISO 27017

Cloud Data Protection

Cloud Data Protection ISO 27017 is the global standard used by organisations to strengthen …

Related Insights

Electric vehicles – a small business guide to zero emissions transport

The government is encouraging businesses to switch to electric vehicles as part of its Climate Action Plan…

Who is responsible for demonstrating GDPR compliance?

Wondering how GDPR could affect your organisation? Read our guide to find out who is responsible for…