A new study examining the security practices of law firms has found that only one organisation out of the top 100 UK firms, Walker Morris, has sufficient measures in place to fully protect against email fraud.
With the threat of phishing attacks increasing by 65% in 2016, this revelation serves as a stark warning to law firms in the possession of the strictest of confidential consumer information.
The research, undertaken by cloud data intelligence company OnDMARC, comes in the wake of recent reports that UK law firms saw an unprecedented 45 cases of cyber theft in the first quarter of 2017. With law firms under a duty to replace any lost client monies, OnDMARC warns that the financial burden of future email fraud attacks could be crippling.
“With over 10,000 law firms operating in the UK, handling sensitive and hugely confidential commercial and private data, there is a real opportunity for scammers to target the legal sector,” said Dr. Rois Ni Thuama, head of cybersecurity governance partnerships and legal, OnDMARC.
“Many law firms either don’t understand the risk or assume that their existing email systems will do the job of protecting them, even though our study very quickly demonstrated that it’s all too easy for a criminal to exploit these firms’ email domains in order to impersonate the company and send out fraudulent messages to external clients and stakeholders.”
The research shows firms questioned by OnDMARC incorrectly assumed that their existing IT security solutions would cover their organisation against sender fraud.
According to OnDMARC, this is because these solutions don’t provide compliance with DMARC (domain-based message authentication, reporting and conformance), a recently ratified email protocol that has been approved and endorsed by the National Cyber Security Centre, part of GCHQ, as the only sure-fire way of stamping out email spoofing.
The Solicitors Regulation Authority’s annual Risk Outlook report provides the sector with the latest advice on tackling information security breaches. Technology solutions such as DMARC should be included to enable law firms to fully protect client data and monies.
“We’re usually quick to blame human users as the most insecure element of the cyber security chain, but in the case of email spoofing, it’s the basic email systems that are being duped, which is a big reason why legal firms have experienced losses, mainly via phishing, of over £3 million in just three months,” continued Ni Thuama.
“Implementing DMARC will enable the 99% of firms currently susceptible to email impersonation to combat this type of email fraud and thus help to prevent them from suffering reputational or financial damage with their client base further down the line. Legal firms such as Walker Morris should be applauded for implementing the necessary measures to thwart the risks of data theft.”
Besides public sector bodies such as HMRC or the NHS, the threat of data theft from law firms would represent the greatest break of client trust. May 2018’s GDPR is set to transform data protection, and organisations of any sector should be encouraged to correctly configure their domains to prevent email impersonation, thus minimising security breaches.