Pete Watson
In today’s digital age, the importance of robust cyber security measures cannot be overstated. Our recent research at Atlas Cloud has unveiled some startling findings that should serve as a wake-up call for the UK legal sector. We audited over 5,000 UK-headquartered law firms, making it the industry’s largest study of its kind, and the results are both alarming and eye-opening.
One of the most concerning revelations is that almost three-quarters of UK law firms have at least one employee password leaked into publicly available sources. This means that, for every person working in the sector, there is at least one username and password combination available for criminals to purchase. The sheer volume of password combinations available to criminals is a stark reminder of the threat that cyber poses to a firm.
While multi-factor authentication can help mitigate this risk, it is not foolproof. Criminals have been known to find ways around it by tricking users into doing something. Therefore, the only true way to eliminate this threat is by ensuring everyone representing your firm has a strong awareness of the tactics criminals are using today.
Our study also found that less than half of the firms have implemented DMARC, a key protective factor that stops criminals from hijacking corporate domains. A hijacked domain would allow an unlawful actor to send emails that appear to come directly from the firm, opening up numerous opportunities for exploitation. DMARC is essential in this sector. While it is essentially a policy that you just switch on, doing so could cause operational disruptions. Firms usually start with a simple analyser tool to eliminate any risk to billable time. Thankfully, most firms I speak with are either compliant or working towards it.
Another significant finding from our research is the size of firms’ digital attack profiles. Over half of the firms have “Large” attack profiles, but only 11% of big firms (employing over 5,000) operate a Large profile. If the majority of big firms can operate a small attack profile, any firm can. Being a mile wide and an inch deep does not do any good when it comes to cyber security.
Our study also assessed alignment with the Government-backed Cyber Essentials scheme. Fewer than one in seven firms were certified as having achieved the nationally recognised minimum level of protective measures. This does not necessarily mean that six in seven firms do not have these factors in place, but Cyber Essentials is recommended as part of Lexcel accreditation and is required for all public sector case work – making it an important certification to have.
Finally, the research revealed the industry’s adoption of specialised phishing protection technologies. At least half of the firms employ a solution to filter out emails suspected as impersonation, a tactic that standard ‘spam’ filters are not able to recognise. Given that phishing is the number one cause of breach according to Official UK statistics, this figure offers a warning to firms that do not have a solution in place.
In conclusion, the findings from our research highlight the urgent need for law firms to bolster their cyber security measures. At Atlas Cloud, we are committed to helping firms transition to a modern IT infrastructure at their own pace and at the lowest possible risk to billable time. By working together, we can ensure that the UK legal sector remains secure and resilient in the face of ever-evolving cyber threats.
To read more from Atlas Cloud about this you can find the news report here.