The Ransomware Risks To Law Firms

The Ransomware Risks To Law Firms

Ransomware risks are the largest threat that faces law firms today.

Any business can become a target to cybercriminals, but law firms are one of the top targets globally. Even a listed UK Law firm was hit by a cyber security incident this year. It’s obvious that law firms are lucrative and have access to money, so they are often able to pay a ransom.

However, cash flow is not the only reason firms become a target. Law firms have many interaction points and are in effect a service business. Service businesses live and die by their reputation. That’s why they are a prime target.

Why are law firms a great target for Ransomware attacks?

They have some great data, and that fits with the Ransomware business model. Ransomware is a revenue generator for cybercriminals. Ransomware encrypts your practice’s electronic data, and takes a copy of the data, which can then be:

  • Sold to other cybercriminals
  • Held to ransom over the public release of sensitive information
  • Assumes control of your social media and broadcasts your data and failings
  • Sell or exploit details to another cybercriminals
  • Use the same exploit again and ask for another ransom

Are law firms financially protected from cyber-attacks?

Typically, a paid ransom will be reimbursed by insurance, but of course only if the right controls are in place.

Many firms think they are protected financially by simply having insurance in place to reimburse a ransom payment. However, if there isn’t the right security in place, then insurance won’t pay out.

Money isn’t the only loss a firm faces when hit

Greater threats are posed, here are some other ransomware risks to law firms.

Some ransom groups will demand a ransom, but that will only be after they’ve posted all of the firm’s sensitive data onto the web.

The firm may be able to get operational again, but the real damage goes beyond that, as their client’s data is in effect spread globally for anyone to access. It’s easy to see that the ransom payment is just a fraction of the real cost a firm could face.

A breach means letting clients know their data is ‘in the wild’, and that other parties can access it. That’s big, it will seriously hurt the firm and all those they work with.

Regulators want to try to compound that damage. A firm is now looking at huge fines from the regulators, such as the ICO and the SRA. It’s a horrible place to be, hence the focus from those in the global ransomware business, which is now bigger than the drugs trade.

Risk and IT security are not separate entities

Too many in the legal industry view the ransomware risks to law firms and IT security as separate entities. They simply put being secure from a cyber perspective and all those risks down to the IT team. That’s just not going to wash with regulators, clients and very likely the media. Risk is a board’s responsibility/accountability, not IT’s.

Of course, the IT team plays its part. However, like every important functional operation in a firm, you need governance. The whole firm needs to be aware of its role in controlling risk. The biggest threat to a firm’s security is normally from something simple such as someone clicking a link or giving information out over a phone.

IT can only so go far

New and emerging threats are often targeted at the end-user sat at their laptop or on their phone. Sure, technology has its risks, but people are always the weakest link. Although employees pose one of the largest risks, the threats are of course much wider.

The other big risk is vulnerabilities within IT systems that face the Internet. Every link into a firm is a risk. they need to be evaluated and tested. A firm should certainly penetration test their own systems, to ensure they also deal with their part of the wider risk piece.

So, how can the ransomware risks to law firms be avoided?

There are most certainly the basics that should be dealt with, especially where ransomware is concerned, such as:

Have you got an air gap in your backups?

Ransomware attackers want to encrypt your data. That may take you down for a few days. However, if your backups are also on the same network as your data they will be looking to ensure they are also encrypted. That leaves a firm dead in the water with no chance of recovery.

Do you have a rigid patch management policy?

Many businesses patch once a week, many once a month. That’s not enough. The IT team needs to be continually aware of brand new threats and needs to deal with them quickly.

Do you use a VPN to protect endpoints on public networks?

Too many firms allow their staff to connect in other locations, such as hotels, over unprotected networks. That’s a risk that needs to be controlled via a VPN.

Do you consistently train and test your users on how to spot suspicious email or call?

Again, staff are the weakest link and need to be able to spot suspicious behaviours online.

Do you control USB ports to ensure non-approved storage devices can’t be installed?

You can’t allow staff to plug anything into a work machine without controls in place.

Do you have an email security protection system in place?

You do need an advanced email security protection system in place that checks both links in the email and the attachments. You can’t generally rely on email provider systems, not even Microsoft’s.

Do you have next-generation antivirus in place?

Traditional antivirus systems aren’t enough to protect against ransomware. Once they’ve detected it with a scan it’s too late. You need NGAV (Next Generation AntiVirus) which can spot ransomware before it does its damage.

Do you have 2-factor authentication in place?

This is probably one of the biggest protections against ransomware available. A third party can steal a password, but they cannot get access to systems without a known device.

Do you have a SIEM and a 24x7x365 SOC?

A SIEM is a Security Information and Event Management system. A SOC is a Security Operations Centre. If you’ve done the other points, then you need a system that looks for suspicious behaviour. These systems can be expensive, so you need to really make a judgment call on how far you should go.

So how do you decide how far you take your IT security?

Well, first you really need to understand all the risks you face. You need to understand the likelihood of those risks being exploited, and you need to understand the likelihood of it happening. How do you do that?

You need a system, you need a framework. Too many firms think they have Cyber Essentials so they are secure. That’s not the case. Cyber Essentials is very basic and doesn’t make you secure, especially not from the ransomware risks to law firms.

Want to know more?

Speak to the team
Scroll to Top