The exposure of employee passwords on the Dark Web poses a significant threat to UK law firms.
- A vast majority of UK law firms have compromised employee passwords accessible online.
- Out of 5,140 firms examined, 72% faced this cybersecurity issue.
- Atlas Cloud’s study highlights deficiencies in digital protection measures across these firms.
- Experts stress the importance of strong cybersecurity awareness and practices to mitigate risks.
A considerable security breach has been unveiled as nearly three-quarters of UK law firms were found to have at least one employee password leaked into publicly accessible sources on the Dark Web. This revelation comes from the largest study of its kind, indicating a significant vulnerability within the legal sector.
The extensive audit conducted by IT services company Atlas Cloud reviewed 5,140 law firms. Results showed that 72% of these firms had instances where employee username and password combinations appeared in lists circulating on the Dark Web. Such information poses a great risk as it provides cybercriminals with the potential to access sensitive information within the firm’s IT systems.
Researchers uncovered over one million password combinations associated with the firms studied, equating to an average of 195 password combinations per firm. The security audits performed were non-intrusive, ensuring no hacking attempts were made during the investigation.
Further findings exposed that a key protective measure, DMARC, which prevents the hijacking of corporate domains, was only implemented by 46% of the firms examined. A hijacked domain can allow criminals to send emails appearing to come directly from the firm, potentially leading to greater security breaches.
Interestingly, while more than half of the firms (54%) had large ‘digital attack profiles’, it was noted that most of these were not from larger firms, as they generally have stronger protections in place. Atlas Cloud’s chief executive, Pete Watson, remarked on this saying, ‘When it comes to cyber security, being a mile wide and an inch deep doesn’t do you any good.’
The study also found that only one in seven firms possessed the government’s Cyber Essentials certificate, which covers a range of defence mechanisms and is recommended as part of the Lexcel accreditation. This certification is mandatory for all public sector case work, highlighting a potentially overlooked area in private firms.
Additionally, at least 53% of these law firms had adopted specialised phishing protection technologies. These technologies effectively filter out emails suspected of impersonation, a technique standard spam filters typically fail to detect.
Pete Watson underscored the gravity of this cybersecurity threat, stating, ‘The sheer volume of password combinations available to criminals is a stark reminder of the threat that cyber poses to a firm.’ To combat this, he recommended multi-factor authentication on systems, although acknowledging that criminals have found ways to bypass these protections by deceiving users. Watson emphasised the need for widespread awareness of current criminal tactics among all firm representatives.
The pressing need for enhanced cybersecurity measures and heightened awareness in UK law firms is clear from these findings.
