Lindsay Hill, CEO at Mitigo, discusses the alarming trend of ransomware attacks on law firms that has continued throughout the pandemic.
Some of you reading this will become the victims of a particularly damaging form of ransomware attack. And it could happen tomorrow.
Why do law firms fail to put in place the proper defences needed to protect themselves? There are two simple reasons. Both arise from misconceptions.
The first misconception is that you are not a target for cyber criminals. Well, regardless of your size or location, you are. Attacks are orchestrated by organised criminal gangs, using automated and sophisticated techniques. Your firm might not have been singled out to start with, but once a vulnerability is found and an access route into your systems is discovered, more focused attention and attacks follow.
The second misconception is the assumption that your external IT support is qualified to look after your cybersecurity. In almost every case, they are not. IT support is trained to set things up for ease of access and productivity; they are not responsible for cybersecurity or cyber risk management. Cybersecurity is a very different discipline to generalist IT support, and it covers much more than just technology.
All too often, new clients come to us in a state of panic, after suffering a breach. This means we see the types of attack which are taking place right now.
Ransomware attacks in 2020
Ransomware is a type of malicious software which encrypts your data. In other words, it scrambles everything, so it is impossible to access any information. The criminals then demand a ransom, promising in return to provide you with the key to decrypt or unscramble it all. Currently, the going rate starts at $50,000 for the smallest firms, rising sharply into hundreds of thousands for larger firms.
We have found that very few legal practices have set up their backup systems correctly to enable them to restore everything, either within a few days, or indeed, if ever. Usually, the technical configuration of the backup is wrong. Often, the backups end up as copies of the corrupted versions of the data. At best, it can take a long time to restore everything, during which time your business and your client work has ground to a halt.
If you could avoid paying the ransom, there’s still the question of what confidential data may have been accessed. Will the fraudsters strike again? Are they still in the network?
Since late 2019, the stakes have got even higher, because the alarming new trend is for the criminals to steal a copy of your data as a first step, before they encrypt the version you have on your system. That gives the fraudster two ransom opportunities. First, they ask for payment for the decryption key. Then they threaten to publicly release, piece by piece, the confidential data they have stolen, unless you pay up. Which means that even perfectly configured backup arrangements will not protect you or your clients.
Even if you do pay up, you cannot prevent the criminals later using the data to mount further attacks. This could be on you, your clients, or your business relationships. It could include targeted phishing attacks against your staff and clients. Or they might sell the data to other criminals.
So, what should you be doing to defend your firm?
Do a risk assessment
The starting point is to undertake a risk assessment covering a range of issues and behaviours across the three pillars of technology, people and process.
You need to look at your overall business setup. Here are some questions you should ask (but there are many more):
- What technology do you have?
- How do you use it?
- What data do you hold?
- Who has access to it?
- What remote working takes place?
- Do people use their own devices?
- What third parties and collaboration platforms do you work with or rely upon?
- What controls do you have in place and how do you check they are working?
- How do you monitor security on an ongoing basis?
Technical vulnerability scanning
It’s a good idea to do this as part of assessing and testing your security. How often you do this will depend upon your risk assessment and may change. This will help to identify vulnerabilities in your network and technology.
Train your staff
You must train your staff on their cybersecurity awareness on an ongoing basis, so that they stay alert and are aware of the techniques that criminals employ. It’s less about making them experts than making them stop and think, before they immediately click on that attachment or post confidential data on social media.
This training, together with testing their understanding afterwards, and using simulated phishing attacks, dramatically reduces your risk of being breached.
Also, give your staff a cybersecurity handbook so they know the rules and what they can and cannot do.
Have a risk management structure in place
This should provide the right policies and systems to govern your technology and the way it is being used. You must identify the controls which will manage risk and have periodic checks to prove that your controls are working.
Security is not a one-off “MOT”. It requires ongoing assessment and review.
If you become a victim
If your firm becomes a victim of any type of serious cyber breach, urgently get a specialist to respond to the incident. You must
- isolate systems / data as necessary
- ensure that the attack is over
- prove that the malicious software and connections have been removed
- prove that your network has been secured
- conduct an appropriate investigation so that you understand how it happened and what data has been taken.
We have found that if the incident is not managed correctly, it can result in the destruction of the “footprint” showing where the criminals have been, and what data they have taken - which means you do not know what to tell your clients, the SRA or the Information Commissioner’s Office (ICO). We have found that often the criminals are still in system and confidential client data is continuing to be removed. And lessons are not learnt, meaning the firm’s defences remain weak and the same thing will happen again.
And finally, ensure that depending upon the nature and severity of the incident, you comply with the appropriate reporting obligations which may include your bank, the police, your cyber insurer, the SRA, the ICO, your employees and, most importantly, your clients.
The Law Society has partnered with Mitigo to offer technical and cyber security services with exclusive discounts for our members. For more information contact Mitigo on 020 8191 9205 or email email@example.com.