Lawyers and accountants depend on a bond of trust with their clients. So you would imagine that protecting their clients’ sensitive personal information would be a priority, yet many firms are relying on cybersecurity measures that are untested – and often incomplete. 

At the moment, most firms are presenting an easy target for hackers. And with serious breaches becoming the norm, the promise of confidentiality is becoming impossible for many to uphold, along with the dependability that these trusted professions are meant to provide.  

These sectors seem reluctant to respond to the threat, however. So it could be up to you – their clients – to change their outlook. 

Why are law firms targeted? 

The legal sector has vulnerabilities – they’re embedded throughout its everyday operations. From bank transfers and automated identity checks, to emails carrying your personal information, law firms routinely handle sensitive data, making them an attractive target to cyberattackers.  

In August 2020, for instance, UK-based law firm Tucker Solicitors fell victim to a vicious ransomware attack. The firm holds court bundles including private personal data such as medical files, witness statements and names and addresses of witnesses and victims relating to crimes of all severities. After the breach, hundreds of thousands of files containing sensitive information were leaked on the dark web and held to ransom. 

A common tactic that law firms often fall victim to is Friday afternoon fraud, which contributes to an eye-watering 75% of all cybercrimes in this sector. This type of fraud is in the name – Friday afternoon is the traditional time-period for completion of property conveyancing transactions. It’s also a time when many in the profession are winding down for the weekend. 

Hackers use this window to break into a firm’s defences – which are often outdated and untested – then imitate an employee, contacting clients from what appears to be the employee’s real company email, so they can make off with the completion day funds. It’s the kind of easy-to-mitigate fraud that could be drastically reduced with a robust cybersecurity strategy. 

Due to the substantial amount of money passing between law firms and their clients, these kinds of scams are widespread. Large amounts of sensitive data held by lenders, estate agents and mortgage brokers is at risk. Despite all of this, the sector doesn’t seem to be in a hurry to act. 


What about accountants? 

Accounting firms play a pivotal role in our economy, handling financial data of businesses big and small. They also deal with high-value commercial data and sensitive financial information on a daily basis, making them another prime target for cyberattacks.

At the beginning of 2022, Chester-based umbrella payroll firm Parasol was hit by an attack that forced them to shut down their external and back office systems. This in turn led to thousands of contractors going unpaid or receiving lower pay than expected. A similar attack occurred to the Brookson Group at the same time, and both of these attacks followed a high profile ransomware attack on GiantPay. The UK’s leading accounting companies are certainly in the firing line. 


What’s stopping these industries from stepping up their cybersecurity game to protect your data? 

It’s an understatement to say that online working has accelerated over the last few years, but many in the legal and accountancy sectors are still slamming the brakes on digital adoption. Some are beginning to use digital documents, but many are still working with systems that existed before ‘internet’ was a word.

There is still some fear of technology from specialists in these professions, even at a basic level. Let alone before you introduce cloud computing and e-signing of critical documents. 

The pandemic has only made this worse. Overnight home working added a whole new level of cyber challenges, including a deluge of covid-related scams.

The rapid change in digitalisation from forced remote working may have been too prompt for firms to properly consider data security. SME sized firms tend not to have IT teams, or any in-house understanding. They’ll also probably outsource their compliance, without understanding the implications of their own internal processes.

The only real legal requirement is to follow GDPR, even though they are handling very sensitive information, more so than organisations required to have a pen test. GDPR does not enforce a specific set of cybersecurity measures, but rather expects businesses to take ‘appropriate’ action, leaving law and accountancy firms without IT expertise in the dark.

For some of the most traditional law firms, it may be up to clients like you to nudge them forward. If organisations begin to demand pen tests and other security measures before they will agree to work with a firm, it might tip the balance. This is already common practice in some industries, and it’s essential to ensure a secure supply chain, so it might not be long before organisations and clients demand the same security measures from their lawyers. 

What is the solution? 

We’re not trying to scare you into never using legal or accountancy help. There is a simple solution to ensuring your data is safe.

There is one thing law and accountancy firms must ensure: that a robust cybersecurity strategy is in place. This can inform employees on the rules for encrypting email attachments, steps for accessing work applications remotely, guidelines for creating and safeguarding passwords, and rules for best use of social media.

Getting cybersecurity training up to standard is also critical, particularly in a hybrid working environment. Training ensures promotion of cybersecurity awareness and best practices among employees, so that they can act in your best interest.

As a client, you can request information on your chosen firm’s cybersecurity policy, considering they have an obligation to protect your data. Have they put in a robust strategy, especially since the start of the pandemic, to preserve your information? Are they encrypting their emails that contain your sensitive data? And are they conducting third party due diligence? Next time you’re speaking with a potential legal or accountancy partner, it makes perfect sense to bring cybersecurity into the conversation.

At Datavax, we are cybersecurity experts. To learn more about what we do, check out our guide to independent penetration testing: what we do and why.