As cybercriminals use AI to escalate threats, how can law firms protect themselves?

New developments in technology are constantly transforming how law firms operate. Recently, more firms are using – and, in some cases, developing – generative artificial intelligence (AI) tools. The technology has the potential to revolutionise law firms’ relationships with its clients and employees.

Just as there is potential for law firms to benefit from AI, the cybersecurity industry is alert to the possibility that AI could be used in cyber-attacks. AI-driven attacks could allow threat actors to unleash far more advanced and fast-acting malware on the organisations they target.

While law firms might use AI themselves to manage, automate and analyse aspects of their security, there is still potential for this security mechanism to be trained by an attacker. As a result, law firms need the right protections against the cyber threats they face – and they must be able to implement them more quickly than before.

Why should firms be concerned?

The risks are especially acute for law firms, which were appealing targets for cybercrime well before attackers could harness AI. According to research published last year by Cert-UK, the forerunner to the National Cyber Security Centre, 65% of law firms have been a victim of a cyber attack, yet 35% of firms don’t have a cyber mitigation plan in place.

Research from Cyfor Secure Cyber Security found a concentration of cyber-attacks against large law firms, with 90% of the top-25 UK law firms experiencing a threat.

Smaller firms are vulnerable too: often viewed as easier targets, they may lack the infrastructure to prevent and respond to a cyber-attack, as well as the resources to recover from one.

That explains why 85% of the top 100 UK law firms cited that they were extremely or somewhat concerned that cyber threats will stop them from meeting and exceeding their firm’s ambitions, according to PwC’s Annual Law Firms’ Survey 2023.

“We are seeing firms increase their security through the recruitment of dedicated cybersecurity teams, implementation of new systems, and purchase of cyber insurance, amongst other things,” said Sharon Glynn, director and underwriter in the Bond & Specialty department at Travelers Europe.

“This is at a financial cost for law firms, but when you consider the costs of a successful attack – reputation, rehabilitation, business interruption, restoration, to name but a few – the spend starts to look more like an investment. The crucial part is to ensure that each part of the defence system covers people, systems and third-party suppliers. The increasing sophistication of threat actors means law firms simply cannot afford any gap in their defences.”

As organisations weigh their threats, they must consider the business-critical information they hold, the risk to the business if that information is compromised, and their available resources to protect the business and recover following a cyber breach.

Insurers can help clarify priorities. Some security solutions suit certain circumstances better than others. I personally spend a significant part of my time helping clients assess their cyber threats and recommending appropriate protections. I also work closely with our underwriters to ensure we are keeping pace with the threat landscape.

For our insureds, being proactive about cyber protections – understanding what works for the business, applying it correctly, and having additional safety mechanisms in place if something goes wrong will continue to be critical.

Improving safety with layered protections

It is nearly impossible to prevent a determined cyber attacker. However, just as a person can take steps to minimise their risk of a home burglary, a firm can take action to minimise the likelihood, and contain the scope of a cyber-attack and subsequent damage it may cause.

Security solutions all have pros and cons, so building up layers of protection in a well-planned structure can reduce risk – even from AI enhanced attacks.

An organisation’s cybersecurity protections will likely already include a combination of defences such as antivirus and multi-factor authentication. Combined with up-to-date software and patching to remove vulnerabilities or enhance, the solutions chosen should complement each other to provide the depth of security necessary.

Proactive measures can counter unknown threats

Proactive defence solutions such as Endpoint Protection Platforms (EPP), can bolster existing solutions to create exceptionally strong security architecture. They are used to prevent file-based malware attacks, detect threats, and can respond to security incidents as they happen.

Some defences cope even if critical vulnerabilities are present that would normally provide an attacker full admin access to the system. These proactive solutions effectively lock down applications to only their authorised libraries on the computers being protected. This can provide exceptional protection against unknown threats or live attacks.

EPPs can be especially helpful if a threat actor uses AI to take advantage of a gap in a firm’s patching cycle. For most businesses, the patching cycle is monthly – and even when it is carried out methodically, there is typically a cadence between the release of a patch and its implementation. This could average between one and three days for critical vulnerabilities, and up to 14 days for others.

“This is currently considered by most to be ‘an acceptable risk,’” he said. “But what if AI speeds up and improves the efficacy of these attacks – or even automates them?” An EPP can provide an extra layer of protection at those weak points, even if an attacker has administrator access to the network. It can provide significant peace of mind when so many risks are unknown.

More than just technology needs to change

As cyber risks evolve, human behaviour need to evolve too – an elevation in staff awareness of phishing or fraud attempts is already taking place. Existing cyber protections will need to be reviewed on an ongoing basis to ensure they remain fit for purpose and deployed with no system left vulnerable.

Firms must review their cyber insurance protection and the steps they need to take – both before an attack to limit risks, as well as in the immediate aftermath of a breach to access expert support quickly.