Law Firms - Soft Targets...

In the wake of the recent Ransomware attack against Allen & Overy by the Russian LockBit group, it’s worth reviewing why law firms make attractive targets and how we mitigate against potentially catastrophic data breaches.

The SRA has advised that digitalization during and post-COVID-19 has created more opportunities for cybercriminals to compromise and extort law firms; Given that law firms handle significant amounts of money, intellectual property, and sensitive information, such as client data, legal documents, and intellectual property. Law firms rely heavily on their reputation and trust, which can be damaged or destroyed by a ransomware attack. All of these factors put them firmly in the cross hairs of cyber criminals.

The NCSC also reports that law firms are increasingly targeted by Ransomware and Phishing in particular, with firms considered to be soft targets by financially motivated criminals.?NCSC Threat Report UK Legal Sector

Ransomware is increasingly used to lock firms out of their own systems, steal information, and combined with threats to release it on the dark web, or in the public domain (as is the case with O&A).

• The loss of system access due to file encryption can seriously affect any firm, and even more so, those that are hybrid or fully remote.
• Cases are now being reported to the SRA where criminals have accessed sensitive client information, and it is likely that this will become the main focus of ransomware attacks.

LockBit ransomware functions as a Ransomware-as-a-Service (RaaS) model. Affiliates are recruited to conduct attacks using LockBit ransomware tools and infrastructure. The disparate nature of multiple unconnected contacts operating LockBit, means that their tactics and techniques vary considerably and further increases the difficulties in protecting and securing data.

In 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023, with attacks on organisations of varying sizes across an array of industry sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation.

There is an understandable perception that cyber security is expensive and onerous to operate; especially for SME law firms. It doesn’t have to be either of these things, but good security does require some thought.

Questions you should be asking:

• What monitoring is in place around those critical assets that would have an impact if compromised, damaged, or altered?
• Is monitoring happening in real time and managed by trained security personnel?
• Do we have procedures in place for staff to report any suspicious activity, and is this routinely reinforced through training refreshers?
• Are we protected by professional security operations centre (SOC) personnel who will know how to manage alert thresholds and recognise genuine alerts when they occur?
• Do we have visibility of all the physical, virtual and software assets on our network and their status; are they maintained with the latest patches and versions.
• Are we able identify and remove shadow IT which may be introduced into the network by our own staff?
• How do we authenticate and grant access to users or systems? Is Multi Factor Authentication in use and is access granted based on least privilege?
• How is storage separated so that an attacker will not get access to all copies of our data?
• Are we able to avoid a long recovery that could damage corporate reputation and brand?
• What data is ‘critical’ and how frequently is this backed up? How frequently is non-critical data backed up?
• How confident are we that we would be able to recover from these backups? How frequently is this checked?
• How are our backups stored? Offline or different locations? What are our recovery time and recovery point objectives?
• Do we have clear escalation routes and defined decision-making processes to deal with a major cyber incident?
• Do we understand our regulatory requirements and obligations to report data loss incidents?
• What are our contingency measures to maintain business operations?
• Are we able to practice our response to cyber incidents, and how do we learn from these exercises?

Cyber security is a strategic risk to any business and especially to law firms whose reputation with clients is paramount. Does your firm’s cyber security provide the protection your clients demand?

?