Recent research reveals that nearly 75% of UK law firms have experienced at least one employee password being compromised and becoming accessible on the Dark Web.
The comprehensive study, regarded as the largest of its kind, audited 5,140 law firms and uncovered that 72% had employee username and password combinations exposed in lists on the Dark Web. These credentials could be maliciously used by cybercriminals to infiltrate firms’ IT systems.
Alarmingly, the audit, conducted by IT services company Atlas Cloud, discovered over a million employee passwords were linked to firms included in the study, with an average of 195 password combinations per firm being identified.
Atlas Cloud employed non-intrusive cyber security audits in their investigation, ensuring there was no hacking involvement in their analysis. Despite their cautious approach, findings highlighted substantial cyber threats beyond exposed passwords, such as the inadequate implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC).
DMARC is a crucial measure preventing criminals from hijacking corporate domains—yet only 46% of the firms had implemented this safeguard, potentially allowing criminals to send deceptive emails purporting to be from the firm. Additionally, the ‘digital attack profiles’ of over half of the firms were notably large, though these predominantly did not include larger firms, which typically had more robust protections.
Pete Watson, chief executive of Atlas Cloud, emphasised the importance of a comprehensive approach to cyber security. He stated, “When it comes to cyber security, being a mile wide and an inch deep doesn’t do you any good. If the majority of big firms can operate a small attack profile, any firm can.”
A key insight from the study was that only one in seven firms had obtained the government’s Cyber Essentials certification. This certification is part of the Lexcel accreditation process and is mandatory for public sector case work.
Furthermore, 53% of firms had leveraged advanced phishing protection technologies capable of filtering out emails suspected of impersonation, which are often missed by standard spam filters. Watson elaborated, “The sheer volume of password combinations available to criminals is a stark reminder of the threat that cyber poses to a firm. By applying multi-factor authentication on your systems, which adds an additional one-time authentication token, you can minimise this risk, although criminals have been known to find ways around this too.”
He underscored that ultimately, “The only true way to eliminate this threat is ensuring everyone representing your firm has a strong awareness of the tactics criminals are using today.”
The findings underscore a critical need for UK law firms to bolster their cybersecurity measures, particularly in light of the substantial exposure of sensitive credentials and significant risks posed by cybercrimes.
