The research outlined in this article has featured in:
New Research: Monday 16th September 2024
New research by Atlas Cloud reveals that almost three-quarters of UK law firms have at least one employee password leaked into publicly available sources.
The IT services company audited over 5,000 UK-headquartered law firms for cyber security competence, making it the industry’s largest study of its kind. The study looked at breached passwords, phishing protection, email hijack protection and analysed the size of each firm’s attack profile. They also assessed alignment with the UK Government’s Cyber Essentials programme, which covers a range of defence mechanisms.
Of the 5,140 firms audited, 72.2% had one or more instances of employee username and password combinations evident in lists circulating on the Dark Web. In total, auditors Atlas Cloud found just over one million (1,001,313) passwords relating to firms in the study. This averages out at 195 password combinations per firm or or 1.27 per individual – meaning that for every one person working in the sector, there is at least one username and password combination available for criminals to purchase.
Cybercriminals use username and password information to enter a firm’s IT systems, looking to gain access to valuable information or intercept a transaction. In conveyancing, for example, it is common that criminals attempt to redirect purchase transitions away from a firm’s holding account – often leaving the firm liable for any lost funds.
Pete Watson, CEO of Atlas Cloud, advises Partners and IT Directors:
“The sheer volume of password combinations available to criminals is a stark reminder of the threat that cyber poses to a firm. You can minimise this risk by applying multi-factor authentication on your systems, which adds an additional one-time authentication token, but criminals have been known to find ways around this too.
“It’s circumvented by tricking users to do something. That means the only true way to eliminate this threat is ensuring everyone representing your firm has a strong awareness of the tactics criminals are using today.”
Pete Watson – CEO, Atlas Cloud
The study found more cyber threats to be aware of. DMARC, a key protective factor that stops criminals from hijacking corporate domains has been implemented by less than half (46.2%) of firms. A hijacked domain would allow an unlawful actor to send emails that appear to come directly from the firm, opening up numerous opportunities for exploitation.
Watson elaborates on DMARC:
“DMARC is essential in this sector. While it’s essentially a policy that you just switch on, doing so could cause operational disruptions. Firms usually start with a simple analyser tool to eliminate any risk to billable time. Thankfully, most firms I speak with are either compliant or working towards it”.
Pete Watson – CEO, Atlas Cloud
Atlas Cloud’s study also categorised firms’ digital attack profile by size and cross referenced this with the size of the firm.
They described over half (53.7%) of firm’s attack profiles as “Large”, but found only 11% of big firms (employing over 5,000) operated a Large profile and described the majority as “Low” or “Very Low”. A quarter of firms had “Medium” sized profiles, leaving the rest (9.8% and 11.6% respectively) as Low or Very Low.
Watson comments:
“When it comes to cyber security, being a mile wide and an inch deep doesn’t do you any good. If the majority of big firms can operate a small attack profile, any firm can.”
Pete Watson – CEO, Atlas Cloud
The study also assessed alignment with a Government-backed scheme called Cyber Essentials. It found fewer than one in seven firms (14.7%) were certified as having achieved the nationally recognised minimum level of protective measures. Researchers stressed this doesn’t necessarily mean six in seven firms don’t have these factors in place; however, Cyber Essentials is recommended as part of Lexcel accreditation and is required for all public sector case work.
Finally, the research also revealed the industry’s adoption of specialised phishing protection technologies. It found at least half (53.1%) of firms employ a solution to filter out emails suspected as impersonation, a tactic that standard ‘spam’ filters aren’t able to recognise. The research wasn’t able to validate for sure that the remaining 46.9% of firms don’t employ such technologies but, given the volume that they were able to validate, the figure offers a warning to firms that don’t have a solution in place.
According to Official UK statistics, phishing is the number one cause of breach (Cyber Security Breaches Survey, 2024) and has been for many years.
more information
Atlas Cloud offers cyber security and managed IT services to law firms large and small.
Aiming to help Partners and IT Directors de-risk the firms that they represent, the Atlas Cloud team are keen to share individual reports from the analysis with relevant and responsible individuals. Their only ask is to be considered for future IT and/or cyber security work in the future, when required.
Claim your firm’s report now.
There will also be a webinar in October, offering a jargon-free overview of actionable steps to de-risk a frim.
Links to helpful resources
Claim your report
Relevant and responsible practitioners can claim the audits results on their firm in a small report.