100% of law firms participating in a cybersecurity experiment had been targeted by cyber threats. Some without even knowing it.
With an estimated worth approaching $1 trillion, law firms present an attractive target to cyber criminals. Not only do they host sensitive personal data within their networks, they also host data on ongoing litigation.
Now that cyber attackers are ransoming data from the attacked firm and the parties whose data is involved, law firms present particularly interesting vectors for attack.
Data Indicates a Dearth of Cybersecurity Precautions Amongst Firms
29% of American law firms reported a security breach in 2020. Perhaps more surprisingly: 1 in 5 firms weren’t sure if they had been breached.
A dearth of modern cybersecurity defences is thought to be the contributing factor. Only 43% of law firms indicated they use file encryption; less than 40% use email encryption, two-factor authentication and intrusion prevention; and less than 30% use full disk encryption and intrusion detection.
Despite the sensitive level of data hosted on their networks, and attorney-client confidentiality assuming data is securely stored, many law firms are underprepared for the plague of ransomware descending on their industry.
No Firm is Too Small
In recent years, big law firms were an easy target for a cyber attack. Having experienced the pain of an attack, these big firms have invested cybersecurity.
Now, small and medium firms present a more attractive target to attackers.
With a smaller staff, and often relying on outsourced IT teams, smaller firms are prone to ransomware attacks that bypass anti-malware tools. While these tools expertly detect the threats they know, they are left exposed to new threats and threats in disguise.
Threats in disguise breach a network, then extract data from the firm’s computers and servers. Once accessed, the data is encrypted. No file can be accessed, and often, systems are totally locked down. With few firms able to operate on paper, this marks a total loss of operating revenue for the firm.
With the firm’s data and systems encrypted, cyber criminals send a ransom request stipulating a threat and an outcome should the ransom not be paid. If the firm refuses to pay to decrypt its systems, the hackers sell the stolen client information online.
The Cyberattacks that Impact Law Practices
Law Firms, like other businesses, can be afflicted by a range of cyber threats.
These may include:
- Malware and ransomware: Software designed so both a computer and the network it runs on. When ransomware is deployed, files and systems may be encrypted, and a ransom must be paid to return the resources to their owner.
- Phishing attacks: A social engineering technique where an attacker pretends to be someone else in order to trick the user into revealing their passwords or to convince the user to run malicious software.
- Misleading websites: Attackers often list links to malicious websites that trigger a vulnerability or download a malicious attachment.
- Cloud storage and apps: Any cloud-based storage or apps that contain sensitive data present a target for cyber attack. When these applications do not use stringent security or encryption tactics, the data is at risk.
- Poor encryption practices: Files that are transferred through public databases are prone to exposure. If not encrypted, files sent via email transfer or stored in the cloud are vulnerable to attack.
- Insider leaks: Staff members and contractors often present a threat when they exfiltrate information from the law firm’s network. This sensitive data can be exposed and cause irreparable damage to the firm.
- Hacktivism: While hacktivism is not financially motivated, it still poses a threat to law firms. These hackers have political or socio-political aspirations when accessing sensitive legal information.
Law Practice Case Studies
The legal profession has not escaped the recent increase in global ransomware attacks. The following case studies provide details on the types and scale of recent attacks.
Ransomware Attack: Manitoba Law Firms Requested to Pay “Enormous” Ransom
Two Manitoba law firms were left locked out of their computer systems, digital files, emails and data backups in April 2020 when subjected to a cyber attack.
After an employee “clicked on a link or an attachment in an infected email” lawyers and staff at the firms lost access to client lists, emails, accounting and financial information, photos and other digital files. Both firms also lost access to their cloud backups, paralyzing their disaster recovery plans. The firms relied on paper records and court filings to retrieve some of their data, but some privileged and confidential information was inaccessible.
Both firms were sent “enormous” ransom requests. Neither firm is expected to regain access to all their data, even after working with specialist consultants. A Toronto-based law firm assisted the Manitoba firms in managing the data breaches. It is unknown if the firms paid the ransoms.
Since the attacks, the Manitoba Law Society mandated that all Manitoba law firms must invest in mandatory cyber attack insurance coverage.
Ransomware Attack: Large Law Firm Recovers from Ransomware Attack
One of the world’s largest law firms suffered from a ransomware attack in June 2017.
You might wonder why we chose to include an older attack in this blog post. It’s to demonstrate just how much ransom requests have changed. Back in 2017, the demand made on the firm was for $300 USD in Bitcoin. By 2020, the average ransom demand reached $84,000 USD.
Despite a significant change in ransom demands, the ransomware event is very similar to what we’d experience today. The attack impacted thousands of servers, computers and files.
The IT teams quickly identified the Petya attack and prevented its spread across the system. By working with third party forensic investigators and relevant authorities, the firm gradually recovered its data and systems. In July of 2020, the firm indicated they had no evidence that client stolen, nor was there a breach of confidential data.
The cause of the breach is believed to have been an update in the firm’s payroll software by a third party accounting firm.
Ransomware Attack: Entertainment Firm Hacked
A jaw dropping $20 million ransom payment was requested when entertainment law firm Grubman Shire Meiselas & Sacks was attacked in 2020.
The incident resulted in the theft of almost 800 gigabytes of data, including private correspondence and documents related to musicians, actors and TV personalities, sports stars, and media and entertainment companies. Attack group “REvil” threatened to gradually release batches of the stolen data.
At last report, the firm was not negotiating with the attackers, while the FBI conducted an investigation into the matter.
Hacktivism: The Panama Papers
The Panamanian law firm Mossack Fonseca is best known as the source of the Panama Papers. The firm stored an abundance of financial information about the world’s rich and powerful. While the original intent of the attack was unknown, the result is infamous: the release of information about secret financial dealings benefitting from offshore tax regimes. Mossack Fonseca has represented more than 300,000 companies, thereby explaining the volume of the cyber attack. 11.5 million documents and 2.6 terabytes of information were stolen in the attack.
The attack, later deemed an act of Hacktivism, was attributed to outdated software with critical, unpatched vulnerabilities.
Cybersecurity Lessons Learned from Law Firms
Cyber threats can permeate prevention barriers: security systems may be in place, but phishing scams and unknown threats can steal an employee’s credentials or breach a network. As indicated in our recent blog posts: you can’t expect to lock all threats out of the network. Detection management is required.
Advanced threat detection is critical to survival
However, most small and medium law firms are not equipped to detect threats. That means they may not know when they have been breached. Threat detection and response ensures that anything lurking on the network is detected, and anything new that passes through barriers is caught. This is critical to ensuring client data is secure.
Off-site Data Storage is required for disaster recovery
Off-site data storage only works when employees are encouraged to backup their data. This is key to recovery.
Cyber audits are growing in popularity
Prospective clients frequently request that law firms demonstrate a commitment to cybersecurity before they are hired. That means proving you can catch and detect threats, and recover from a disaster.
Transparency is key
The ethics and compliance expectation binding law firms set very stringent measures in place. Contacting law enforcement and announcing the event is a critical part of managing the breach. Since client data might be compromised, clients must prepare themselves. Even when data hasn’t been accessed, firms must be transparent to prove they have the client’s interest at heart.
Managed Endpoint Security for Law Firms
Law firms that have experienced a cyber attack can testify to the crippling power of a breach. Along with lost productivity, cyber attacks can incur exorbitant expenses. (The cost of an insurance policy and an endpoint protection solution will likely never add up to the cost of recovering from a breach!)
While smaller firms may be daunted by the cost of cybersecurity protection, scalable endpoint security options exist. With a smaller staff and fewer computers and servers to protect, the fees for managed protection can be matched to the size of the firm.
CYDEF offers a fully managed endpoint detection and response solution that an internal point person can manage, or can assign to an IT service provider. The solution, consisting of anti-malware protection, advanced threat detection and a skilled team of live security analysts, provides visibility into what’s happening on devices, in applications and on accounts. If your law firm is breached, you’ll know about it!
Learn more about our managed security solutions and how they can support your law firm.