Business Overdrafts
Be financially flexible with a business overdraft.
Read time : 10 mins Added: 19/05/2023
Amidst the surge in digitalisation, cybercriminals are mobilising on an industrial scale. 39% of businesses in the UK identified a cyberattack during 2022, with at least one in five (21%) experiencing a sophisticated attack such as ransomware or malware. Hackers have more opportunities than ever at their fingertips, meaning that an attack is no longer a case of ‘if’, but ‘when’. What’s more, given that law firms have access to valuable transactions and data, the legal sector is a lucrative target.
Law firms are the linchpins of business and commercial transactions. They enable high value deals, handle significant sums of money and store huge quantities of confidential client data. As a result, they offer an attractive opportunity to cybercriminals looking to either steal these assets, or use them to extort the firm. This is confirmed by the volume of attacks experienced by solicitors; 75% of firms interviewed by the Solicitors Regulation Authority (SRA) had been the subject of a cyberattack.
The dramatic uptick in remote working and the increased use of processes such as eDiscovery1 for litigation mean that more information than ever before can be accessed digitally – leaving firms especially vulnerable to attack.
As a result, there is no room for complacency: the question should be less about whether your law firm will be attacked, and more about whether you will be prepared when it does.
The most common cyberthreat facing law firms is phishing, or the practice of sending emails or messages to manipulate users into revealing sensitive information. In 2020, 83% of attacks on businesses were deployed via phishing techniques, with just under half (48%) reporting that phishing was the sole form of cyberattack they had experienced.
While some examples of phishing or social engineering can be easy to identify, with spelling errors, requests for payment via links, incorrect company logos and anonymous or unknown senders all pointing towards the likelihood of a phishing attempt, techniques have become more advanced. The use of ‘spear phishing’ – a more targeted attempt which uses specific or personal information of interest to the target – means that the cybercriminal’s fraudulent email can be well informed and look indistinguishable to the real thing.
Law firms should also be conscious of other cyberthreats such as ‘man-in-the-middle’ attacks, which can be used to misdirect funds, and SQL injections (the insertion of malicious code into the target’s system, application or website). Malware and ransomware also represent risks to the legal sector, especially since the latter is designed to block access to vital systems and services, such as client databases and sensitive documents. Ransomware attacks are gathering speed, with the number of incidents reported to the Information Commissioner’s Office (ICO), doubling between 2020 and 2021.
Finally, cybercriminals rely on us to make mistakes. According to the World Economic Forum, 95% of cybersecurity issues can be traced back to human error (PDF, 5.6MB) – from clicking a fraudulent link to using an easy-to-decipher password or simply sending an email to an unintended recipient.
Effective cybersecurity requires everyone in an organisation to understand the risks and take active steps to mitigate them.
When a cybercriminal strikes, the cost – both financially and in terms of resources – can extend far beyond the attack. Directly, there is the cost of the attack itself, which could come either in the form of the funds stolen from the firm, or in the money (often in the form of cryptocurrency) demanded by the cybercriminals via blackmail.
However there is also the aftermath to consider, in terms of the cost of complying with UK GDPR regulations. In the event of an attack that leads to a data breach, the firm must inform the ICO within 72 hours and notify any affected individual of the loss of their data, which can be expensive both in terms of time and the required expertise.
On another level, there are also the costs incurred as a result of the disruption caused to consider, particularly in the event of a ransomware attack during which all files will be encrypted and systems rendered useless. According to the SRA, one firm lost £150,000 worth of billable hours as a result of an attack which crippled their system and resulted in their solicitors being unable to do their jobs.
The financial repercussions of a cyberattack can also occur on a long-term basis in the form of reputational damages. The loss of clients’ trust can devastate a business such as a law firm, whose core proposition is dependent on reliability, responsibility and security.
Finally, although the attack is digital, the effects can be very much human. Firms interviewed by the SRA confirmed that cyberattacks caused life-changing repercussions including an increased level of stress and debilitating anxiety among staff, impacts on employee’s ability to retire, and firings and demotions.
Threat-actors arbitrarily attack organisations and activity has only proliferated owing to the increased surface-attack area amid remote working, and the increased cross-pollination of supply chains. Coupled with a greater dependency on outsourced IT vendors and an ever-increasing move to public cloud platforms, this presents greater opportunities for the exploit of personal data or the infiltration of funds; stored, transferred or held in escrow. It is not a matter of if, but when, for organisations of any operation or size.
Simon Brookes Managing Director, Financial and Professional Risks, AJ GallagherJust as you’d use a number of different security measures to keep your physical premises safe – from multiple locks to alarms and security cameras – the same should be true when it comes to defending your business online.
Here are seven tips to ensure that your firm is prepared in the event of an attack:
In addition to the above, consider the questions expressed in our Cyber Risk Guidance (PDF, 5.1MB), such as:
As digital transformation surges, cyberattacks on businesses – especially in the legal sector – have become inevitable. Lloyds Bank is here to support you as you develop your cybersecurity strategy, so speak to your Relationship Manager for more information on how we can play a role in defending your firm.
1 eDiscovery is a process that enables solicitors to identify and supply digital information that can be used as evidence.
2 Lloyds Bank plc is an introducer to Arthur J. Gallagher Insurance Brokers Limited who arrange and administer Lloyds Bank Business Insurance Services and source products from a panel of insurers.