No HTTPS? No site visitors
Uncategorized

HTTPS: Feeling insecure? An update on law firm web security

Two weeks ago, I blogged about a number of firms whose sites were not secured. By not secure, I mean that Chrome, the world’s most used browser, warns you not to exchange any data with them as it may be stolen. That would include personal details (logins), downloads forms (name and passwords), or credit cards (less likely with commercial firms, but not unheard of). It’s easy to spot: they don’t have an HTTPS site.

I wanted to do an update on the original story now that it has appeared in The Times, The Lawyer, and several insurance and accountancy sector titles too.

In the original survey, 22 of the top 200 law firms did not have an HTTPS site. Five of those firms are in the top 25 largest firms in the UK. All five of those firms promote cybersecurity practices.

I rechecked the offending firms’ sites this morning, and the results are:

  • The same five of the top 25 firms have not resolved the https issue (it takes, maximum, a few hours to fix).
  • All of them still sell cyber risk solutions.
  • One of those five has a client extranet that is not secure. So clients should not use it to exchange sensitive data with their law firm. (Which is the basis of using an extranet); and
  • Of the broader original 22, four have addressed the issue and now have a secure website – so it is now safer to share data with them.

To that list, we’d also add in some of those firms who had certificates that were about to expire/be distrusted. Of the five firms who originally found themselves in this position:

  • One has removed its certificate for now, and so it is ’not secure’ to share your data with them. It’s one of the largest law firm brands in the world. Ripping off the plaster is not a solution.
  • Two have updated theirs to other free certificates. These free certificates are used in website hacks such as the BA copycat site which has featured in the news so much recently.
  • Two have not tackled the https problem and probably don’t even know that they are not getting web traffics a result. If you use Chrome to look for their website, it won’t display it to you as it says it is unsafe to do so. Potential clients will then go and use another law firm.

Here we are, just over a year on from the Paradise papers (NB @appleby’s website is currently secure, by the way) and it’s almost as if firms are waiting for a cyber breach to happen to them before they act.

It’d be much easier to act now. Contact us if you’d like to know if you’re on the list or how to resolve it.