If you’ve caught up with conveyancing news in the last few days, you’ll have heard about the “cyber incident” affecting around 80 law firms across the UK. Legal sector infrastructure provider CTS has been forced to stop firms from accessing its systems, bringing exchanges and completions to a grinding halt.
This got us thinking, is cybersecurity taken as seriously by conveyancers as it should be? We decided to do some digging. How much of a threat is posed to conveyancers by cybercriminals? And, more importantly, what can your business do to protect itself?
The Risk Is Real
Unfortunately, according to research from the National Cyber Security Centre (NCSC),
65% of law firms have been a victim of a cyber incident in 2023. Meanwhile, cyberattacks on law firms have increased by more than 60% in the last two years, with the number of breaches at the top 100 law firms skyrocketing from 45% in 2018/19 to 73% in the most recent financial year.
Nor is this a problem solely for the biggest law firms. Although many of the highest-profile attacks have naturally concerned large multinationals, cybercriminals are increasingly targeting smaller businesses (including law firms). As a result, 31% of UK SMEs polled in a recent government survey said they were attacked at least once a week in 2022.
What Are the Consequences of a Breach?
It might sound melodramatic, but the consequences of a successful attack can be crippling. From a financial perspective, the outcome of a successful attack can range from a major headache (for larger firms) to business ending for those with shallower pockets. IBM’s Cost of a Data Breach 2022 report pegs the consolidated cost of a data breach in the UK at £3.36 million. Meanwhile, according to UK government estimates the average cost of a data breach to a small business is £4,200.
It’s not only direct financial losses we have to consider. There are costs associated with recovering stolen or encrypted data and lost revenue due to prolonged disruption. And, if a firm is found to be responsible for the breach they could be fined by the Information Comissioner’s Office.
However, more important still, is the potential reputational damage. For conveyancers, reputation is everything. We process reams of sensitive customer data every day and people need to be able to trust us with their data. Once that trust has been dented, it’s very hard to undo the reputational damage. Research suggests that nearly 20% of consumers won’t use a brand that has suffered a breach which can really hit your bottom line.
Why Are Cybercriminals Attacking Conveyancers?
The rationale behind attacking conveyancers isn’t hard to understand. First of all, conveyancers typically process a lot of sensitive customer data. This is like catnip for the average cybercriminal. Data can be held to ransom, sold to the highest bidder, or leaked to cause maximum reputational damage.
Secondly, conveyancers currently represent an easy target. Despite the risks, it’s estimated
35% of law firms still do not have a cyber mitigation plan. Meanwhile, many smaller firms, lack the cybersecurity knowledge to protect themselves, putting them at real risk of a breach.
How Do You Protect Your Business?
So far we’ve mostly dealt in doom and gloom. However, there are a few simple things you can do to dramatically improve your security without spending vast amounts of money.
- Get Cyber Essentials Certified
Cyber Essentials is a government-backed certification scheme, aimed at helping
protect organisations, whatever their size, against the most common cyber attacks. Most cyberattacks are simple and it’s estimated a grounding in the basics will protect your business from 98.5% of them.
The certification is built around five technical controls to secure your organisation against the most common attacks. It’s a great place to start as it will help your business put these measures in place as part of the certification process. Not only helping to protect you but demonstrating to customers you take cybersecurity seriously.
And, it’s recommended by the Law Society.
- Train Your Staff
82% of data breaches involve a human element. However, before we rush to blame Colin in accounts, it’s worth considering whether your staff have ever received any cyber training.If your employees aren’t aware of what cyber threats look like, they’re much more likely to fall foul of them – whether that’s clicking on a link that leads to a ransomware infection or opening a phishing email.
Training can help your people better recognise and understand the threats they face. And, more importantly, learn how to counter them.
- Use MFA
Hopefully, you’re already aware of the importance of strong passwords but, if in doubt, follow the NCSC’s three random words rule. However, a unique password isn’t enough. Alongside this, use multi-factor authentication (MFA) on all accounts – think SMS codes, Google Authenticator, security questions, or bio-authentication such as fingerprints or facial recognition.
It’s easy to set up and adds an extra, near-impenetrable layer of security.
- Regularly Update and patch Software
This one might sound obvious, but by far the simplest and most effective thing you can do to improve your cybersecurity is to download and run software and operating system updates. Even the most reputable software dates and developers occasionally miss things, when this happens it can leave gaps for cybercriminals to exploit.
The regular operating system updates you receive from Windows or Apple often contain ‘patches’ to correct these vulnerabilities, stopping hackers from exploiting them. So run them, you can even set them to auto-update on most devices.
- Protect Employee Devices
The pandemic-induced move to remote working and flexible working has brought with it many benefits. However, it also represents an opportunity for cybercriminals, particularly if staff are working from personal devices that are less secure than company ones.
To counter this:
- Ensure staff are only working through secure networks (clue, not the local cafe) and use a Virtual Private Network (VPN) to make it more difficult for cybercriminals to find and breach their device
- Regularly update antivirus software to protect against common cyber threats
- Enable remote data wiping so administrators can delete sensitive data from lost or stolen devices
- Install full-disk decryption on company devices so cybercriminals can’t access the hard drive
- Backup data and documents
The rationale behind backups is pretty simple: sometimes, bad things happen and, when they do, you want to be sure sensitive data is safe.
Using data backups not only protects you against accidental loss, but it’s also a key weapon against many cyber attacks. Take ransomware as an example; a cybercriminal may have held your data to ransom but, with a backup of that data, your business will still be able to operate while you decide what to do next.
So back up your most important documents and data and be sure to encrypt wherever you store them, be that in the cloud or on a remote server. And, if you’re unsure where to start, use the 3-2-1 backup rule.
- Invest in Specialist Cyber Insurance
Finally, you need some recourse if the worst does happen. A standalone cyber insurance policy will indemnify you against a wider range of scenarios than the bolt-on cover in most business insurance policies. What’s more, most cyber insurers can help you lock down the breach, advise you on what to do in the hours after it happens, and help your business recover.
In conclusion, cybercrime poses a very real threat to conveyancers but that doesn’t mean we’re helpless. Simply following the steps set out above can help your business become that much harder to attack and protect you against all but the most sophisticated threats.
