According to research published this week three firms out of every ten have been subject to a cyber-attack in the past 12 months, while 38% of the country’s top 20 firms have been the target of an attack.
However, the scale of the problem may be even worse as it is thought many attacks go unreported.
The data was drawn from a survey of 107 practices in September and October, conducted by Amárach Research for an annual survey of law firms published by accountancy and consulting firm Smith & Williamson.
The names of the firms who took part in the research have not been disclosed, but researchers did confirm the research consisted of 13 of the top 20 firms in the country, 17 mid-tier firms and 77 small firms.
Over half of the security breaches reported were caused by malware, while 35% involved ransomware, where hackers (take control of and) block access to computer systems until a sum of money is paid. The report said cybercrime was on the rise and one of the biggest emerging threats facing the legal profession.
It described cybercrime as “a clear and present threat to legal practices in Ireland”, warning attacks will occur more frequently. While data on losses by Irish firms has not been disclosed, the report said British professional indemnity insurer QBE had reported around €99m was stolen from client accounts in the previous 18 months in the UK.
Four out of ten Irish firms who were subjected to a cyber-attack suffered “down time” as a result. Smaller firms appeared to be more vulnerable to attacks than larger ones.
Among the top 20 firms, they reported that despite being more likely to be attacked, they had invested in cyber security to the extent where to date such attacks were having little or no impact on their operations.The Smith & Williamson report said firms needed to be cognisant of the risks of having lax security controls or untrained staff.
It said analysing risks requires a review of outsourcing and contractors as well as evaluating the benefits of a cyber insurance policy.
“Law firms present a particularly attractive target for cyber criminals. Firms hold sensitive and potentially valuable data about individuals and corporates and may have significant client account balances on hand,” the report said.
“Losing client data or funds or having sensitive and confidential information exposed may be the most frightening outcome for a law firm resulting from a cyber-attack. Earlier this year it was reported that law firms were the targets of espionage by hackers who tried to obtain merger and acquisition details in order to facilitate insider trading. “Firms acting in this area are likely to remain at risk from both cyber criminals and nation state attacks.”
Simon Loughran head of Information Security for Certification Europe said that this report clearly highlights the dangers of cyber-attacks in Ireland. This trend of attacks can be seen industry wide and needs to be addressed plus with EU GDPR coming into effect, organisations in the legal sector need to be compliant and protected against future and more sophisticated attacks. For this reason, organisations have turned to the ISO 270001 standard to develop a robust information security framework to tackle cyber-attacks and be compliant to European regulations. The Cyber Essentials certification, developed as an industry standard in the UK, which specifically focuses on a determined set of IT Security controls has also been utilised as an additional framework to compliment the overall Information and Cyber Security roadmap.