Ransomware: What Can Be Done to Protect Legal Firms?
Alongside the other challenges it has presented, 2021 has been a boom year for ransomware – and as a profitable sector that regularly deals with highly sensitive data, law firms have been prime targets for this new wave of cyber-attacks.
Below, Robert Rutherford and David Clarke of QuoStar outline the threat that ransomware poses to law firms, along with advice on how these firms can best protect themselves from a virtual attack.
Ransomware is the largest and most prominent risk that law firms face today. These types of attacks have increased by 288% in 2021 and are unlikely to slow down any time soon. It is an unpleasant place to be for firms; the global ransomware business is huge. It generates revenues of over $1.5 trillion and grows by the day.
Any business can be a victim of cyber criminals, but it is law firms that are the top targets globally. These are lucrative companies that have rapid access to significant cash reserves, so they are often able to pay a ransom quickly without seeking external assistance.
Cash flow is not the only reason law firms are targeted. They are essentially service businesses, and service businesses live and die on their reputation. This factor, plus regulatory oversight and vast numbers of electronic interactions with third parties, makes them a prime target for ransom groups.
Law firms in the crosshairs
Law firms hold a lot of detailed data, and that certainly fits with the ransomware business model. Ransomware is essentially a revenue generator for cybercriminals. They can monetise the encryption of data and also the disruption that it causes in a number of ways, such as:
- Selling the data to other cybercriminals;
- Selling logins and passwords to other cybercriminals;
- Holding data to ransom, such as threatening the public release of sensitive information;
- Assuming control of a firm’s social media and broadcasting data and failings;
- Using the same exploit again and asking for another ransom.
Ransomware is the largest and most prominent risk that law firms face today.
Typically, law firms will have some form of insurance to protect them against the impact of a ransomware attack. For example, a paid ransom will be reimbursed by insurance. However, these payments will only be made if the right cybersecurity and risk controls are in place in the first instance.
Not just money, but reputation
Insurance will also not guard against some of the major effects of a ransomware attack. Some groups will demand a ransom only after they have posted all of the firm’s sensitive data – including client data – onto the dark web. In that situation, a firm may be able to get operational again, but the real damage has already been done; the lasting impact goes far beyond simply paying a ransom.
Data can be spread globally for anyone to access, meaning firms have to let clients know that their information is ‘in the wild’, that other parties can access it and can, in effect, use that information to do much greater damage. This can seriously hurt the reputation of the firm and those they work for and with.
Regulators, too, will compound that damage and ensure that firms comply with protective measures. Law firms are now looking at huge fines from these industry bodies, such as the Information Commissioner’s Office (ICO) and Solicitors Regulation Authority (SRA), if they do not have the right security controls and governance in place.
Insurance will also not guard against some of the major effects of a ransomware attack.
Do not take a siloed approach
Too many firms still deal with risk and IT security as separate entities. They often leave the responsibility of being secure from cyber-attacks to their IT team, but this approach will not bear scrutiny from regulators, clients or the media. Risk is a much broader responsibility, and it is not something that should rest entirely with IT.
Of course, the IT team does play its part, but like every important functional operation in a firm, governance is key. The whole firm needs to be aware of its own role in controlling risk, especially as most IT breaches come from employees doing something they should not. The biggest threat to a firm’s security can, more often than not, come from something as simple as someone unsuspectingly clicking a link in an email, or giving information out over a phone.
Other major risks to a firm’s security come from potential vulnerabilities within IT systems that face the internet, including those run internally and through third-party electronic links into a firm, such as partner organisations, cloud providers and website hosts. Every one of these links to a firm poses a risk, and they must be evaluated and tested. As a result, law firms should exercise penetration tests to ensure their own systems are effective. They must also look to their external relationships with third parties to ensure that these partners also have effective security controls and governance in place.
How can a firm deal with security threats?
Where ransomware is concerned, there are basic measures that should be in place to ensure firms have controlled the bulk of the areas of risk.
Eliminate air gaps in backups
Ransomware attackers are focused on encrypting data, which could take a business down for several days. Organisations should therefore ensure backups are not located on the same network (local or wide area) as their data, as this could leave a firm with no chance of recovery.
Implement a rigid patch management policy
While many businesses patch their systems to fix security vulnerabilities on a weekly or monthly basis, this simply is not enough. IT teams need to continually be alerted of new and emerging threats, or rely on specialist IT security partners to deal with these dangers with urgency.
IT teams need to continually be alerted of new and emerging threats.
Managing employee threats
Again, staff can often be the weakest link, and there are critical measures that firms need to put in place to protect themselves. As a minimum, employees should be given the training they need to spot suspicious behaviour online.
But there is more that firms can do. Many allow their staff to connect at home or other locations such as coffee shops and hotels, often over unprotected networks. Controlling these risks via a VPN solution is critical.
Others may allow staff to plug anything into a work computer, such as USB drives. Do not forget that for decades computer disks were the primary way for viruses to get onto IT systems, and this risk has not gone away. It is important that USB ports are locked down to only known IT-approved devices.
Creating robust security barriers
Other ways in which law firms can create barriers to deal with security threats include having an advanced email security protection system in place, to check both links and attachments from emails, and Next Generation AntiVirus, which can spot ransomware attacks before they do any damage. The traditional AntiVirus solutions are no longer enough.
Firms should also use two-factor authentication. This is one of the most effective ways of protecting against ransomware and security breaches. Third parties may be able to steal a password, but they cannot get access to systems without using a known device.
Finally, firms will need a system that continually looks for suspicious behaviour (a Security Information and Event Management System or SIEM), and a team that can take any alerts and respond to them accordingly ( Security Operations Center or SOC). These are the last steps and can be expensive, so firms should really make sure that they have covered the basics before looking down this road.
How can firms decide how far to take IT security?
With cyber-attacks ever-present, firms must really understand all the risks they face and what the likelihood of those risks being exploited is. The question is, how can this be done?
Law firms need a system or a framework in place. Too many organisations think they have Cyber Essentials and believe that this covers all aspects of cybersecurity. However, the Cyber Essentials and Cyber Essentials Plus certifications only represent the most basic level of protection.
Have a robust framework
The only way a firm, and particularly the leadership, can get a grip on IT security is to work to a governance level – to implement an Information Security Management System (ISMS). An ISMS, such as ISO 27001, will give law firms a detailed understanding of their risks and how to control them. This should also extend to third parties, as accountability cannot be outsourced when it comes to risk.
Those with an ISMS are already doing the right thing from a leadership perspective by ensuring they know their risks, know the control measures in place and continually review them. They are able to make a call about what they need and want to put in place – based on real knowledge.
Ultimately, the firm’s board will be responsible and accountable for the security of their firm, and so it is crucial that to understand the role they play in order to act more efficiently.
Together, all these measures will form a robust defence and continual improvement operation for any law firm, ensuring they can defend themselves and respond to security incidents as well as the growing threats they face.
Robert Rutherford, CEO
David Clarke, Chief Information Security Officer
Waverley House, 115-119 Holdenhurst Road, Bournemouth, BH8 8DY
Tel: +44 01202 055400
Robert Rutherford is an IT industry leader with over 24 years of experience working with IT and business systems. He leads QuoStar by providing strategy and vision for the business whilst also remaining active with clients, providing insight and solutions for their various business challenges and opportunities.
David Clarke is a veteran cyber-security consultant with over 25 years of experience in the sector. He has worked with clients ranging from SMEs to the FTSE 100 and previously held Global Head of IT Security roles at BT and Radianz, during which he was responsible for managing the security infrastructure and delivery of ISO 27001 for multi-billion-dollar environments.
QuoStar is a full-service IT provider that delivers fully managed IT support, consultancy, co-sourcing and cloud services alongside a range of other offerings for businesses with 30 to 300 staff. QuoStar has a track record of helping mid-sized law firms to grow and gain a competitive advantage by delivering specialist IT support, consultancy and security services in the sector.