Throughout cybercrime’s relatively brief history, there have been a handful of key moments at which entire industries have been jolted into viewing the problem in an entirely new light.
For the legal sector, this moment arrived in July 2018 with the publication of a joint National Cyber Security Centre (NCSC) and Law Society report. The report, ‘Cyber Threats to the UK Legal Sector’, revealed that not only had three in five law firms reported an information security incident in the previous 12 months, but that one of the legal partners received over 11,500 phishing emails per month into his/her inbox. This amounted to 575 email threats landing amongst all the legitimate emails nearly every working day.
Phishing emails can take many forms, from purportedly being sent from the senior partner at the firm asking for confidential documents[1] to be sent to them or for an invoice to be paid, to a third party in a conveyancing chain requesting funds be redirected to a new holding account.
The threat can seemingly come from anyone internally, or from a supplier, partner or client - it is fairly straightforward for anyone with minimal coding knowledge to impersonate a domain and send out emails impersonating anyone. And these are only a few examples of business-related emails. Throw in personal emails on the firm’s network and the risk of cyber threats increases exponentially.
DMARC (domain-based messaging, authentication, reporting and conformance) is a globally-recognised industry standard that authenticates the email sender ensuring that a hacker cannot impersonate the law firm’s domain, and thus commit email fraud. DMARC is one of the minimum cyber security standards required by the British Government of all departments and their contractors.
Already implemented by the leading law firms, the standard provides a method of email authentication enabling the email receiver to know that the email that landed in their inbox is from a legitimate sender. This in turn makes a fraudulent email more recognisable to the receiver or can even mean that these emails don’t make it to the mailbox at all, ensuring hackers are unable to reach the desired recipient. Without DMARC in place, law firms that fall victim to an attack are not covered by their insurance and will be subjected to greater premiums. This means that a phishing attack can continue to be detrimental to a firm long after the initial loss.
Law firms should view the NCSC’s report as a call to action and use the information provided to protect themselves. Cyber attacks are now commonplace and a matter of when not if. Once DMARC has been implemented, protection is guaranteed and any costs that may be incurred from acquiring DMARC will outstrip the financial consequences of a breach, a fine, or the loss of an insurance payout.
[1] The SRA Risk Outlook 17/18 contains a case study of a law firm whose HR Manager sent personnel details to a bad actor using a managing partner’s email address.