Industry Insights • 6 MIN READ

Cyber Security Posture of Legal Sector Threatened

by Eleanor Barlow • Jun 2022

Out of 40 practices investigated, ‘75% reported having been the victims of a cyber-attack’ and for ‘23 of those that were directly targeted, over £4m of client money was stolen’. What makes this worse is that ‘Half of the firms were found to have allowed unrestricted use of external data storage media.’ reports the Solicitors Regulation Authority (SRA) Report.  

Legal practises are built on their reputation and the relationships that exist between the company and its customers. According to Brian Inkster, founder of Inksters Solicitors, ‘In many ways, your reputation is your brand. It attracts people to the firm. From then on, every time you interact with a client, by living up to your ‘brand values’ you can confirm what they think and strengthen [or weaken] your reputation.’ (As stated in an article from Law Firm Ambition)

It is the reputation and the relationships that a legal practice depends on, that are frequently exploited. Compared to other industries, those within the legal sector have an elevated risk to cyber threats, primarily due to the confidential data and sensitive client information available if a breach is successful. And, because offices are filled with lawyers, and not IT teams, security is not often at the top of the priority list.

We only need to look back on one of the most significant ransomware attacks of 2017, where DLA Piper, known across the globe as one of the largest law practices, was hit by a ransomware attack costing them millions in the form of indirect/direct costs and downtime. According to TitanFile, the hacking tool known as EternalBlue, used to conduct that attack, ‘was rumoured to be stolen from the NSA, and other methods to increase its reach and cause its damage.’

Piper was not the only company caught up in the attack. A wave of incidents against the Legal sector soon hit, and since 2017 threats have only evolved and become more sophisticated. This just emphasizes the need for proactive, rather than reactive, threat hunting. To spot and stop threats, before it is too late.

The Legal Services Global Market Report states that the industry is expected to ‘grow from $713.12 billion in 2021 to $788.94 billion in 2022 at a compound annual rate (CAGR) of 10.6%’. That said, it goes without question that the payoff of a successfully attack is substantial. Financial gain is at the heart of most attacks directed within the industry, with infiltration made via supply chain attack and ransomware/phishing attacks.

‘Supply chain, phishing, and ransomware attacks reflect a broader trend that cyber criminals want to exploit multiple organisations through a single point-of-attack.’ – Eva Velasquez, CEO, Identity Theft Resource Center (ITRC)

Legal practices hold a wealth of data that can be exfiltrated. Lawyers can’t afford to lose a single note on a case, so if data is stolen, they are more likely to pay the ransom or meet the demands of the threat group/attacker, as they have a lot to risk if the data is leaked.

Campbell Conroy & O’Neil P.C is just one example of the many legal practices hit by a ransomware attack in 2021. Following the breach, the company were unable to access files that were critical to their clients and contained personal information. In response to the breach, the legal practice issued this announcement regarding the information, which confirmed the gravity of the situation and the lack of knowledge surrounding the amount of information lost.  

‘We cannot confirm if the unauthorized actor accessed or viewed any specific information relating to individuals. However, we determined that the information present in the system included certain individuals’ names, dates of birth, driver’s license numbers / state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials (i.e., usernames and passwords).’- Campbell Lawyers

What Companies Can do to Stop Ransomware Attacks

In a recent white paper on Ransomware Threat Landscape it was highlighted that ‘new ransomware strains are emerging to leverage fileless malware and data exfiltration tactics, while opportunistic attackers are using any change in circumstances to launch more effective campaigns.’

The Challenge – Conventional security tools, which detect only known cyber-threats using rules and signatures, are blind to evolving strains of ransomware for which such signatures do not exist. Security teams cannot keep up with these threats using traditional controls alone, especially when they are understaffed or out-of-office.

The Solution – Businesses must employ security technology that can stop ransomware as it emerges before it can do any damage.

For more on this, download white paper here.

Phishing Attacks on the Rise

Ransomware attacks often begin in the form of a clever phishing attack campaign.

Phishing attacks are directed at the Legal sector often in the form of corrupt emails, containing malicious links. Email addresses and domain names can be easily spoofed, which is why you need to be vigilant when reading, opening, and responding to messages.

  • Do not open attachments from an untrusted/unknown sender.
  • Check for typos as these are a good indicator of an ingenuine email.
  • Do not share sensitive information hastily, be sure you are sending to who you think you are sending to.
  • Don’t fall for URGENCY, especially when it comes from out of the blue.
  • Don’t open links if you are not certain of what they are or who the sender is.
  • If you think the email/link may be real, hover over attachments to check for an actual link, before you click on it or download anything.
  • If messages sound too good to be true, chances are they are malicious and just trying to entice you.
  • Keep your devices up to date.
  • Regularly check your accounts.
  • Finally, when in doubt, message your security team/manager instantly if you suspect anything out of the norm.

Supply Chain Compromise and Third-Party Threats

A law firm’s supply chain can be compromised in various ways, for example, through the exploitation of third-party data stores, case management systems, or legal software providers.  Supply chain attacks rose by 42% in the first quarter of 2021 in the US’– Chartered Institute of procurement and supply (CIPS).

Two Types of Insider Threats- Are you One of Them? 

Internal Threats can come in two forms.

One – via a trusted employee who unintentionally breaches data. This is often down to a lack of education/training internally and the user is unaware that their actions are causing the business harm.

Two – via a trusted employee/ex-employee who purposefully leaks information for their own gain. That gain could be in the form of payment from a threat group, that might have coerced the individual. Or the attack may be down to a personal grudge against the organisation/individual within the company.

Ensure that Cyber Essentials are there, that benefit and work with your business.

With Extended Detection & Response (XDR) you can choose the package that works best for you and the types/amount of data you hold.

Once you have this in place, User Behavior Analysis (UBA) is useful to categories patters of user behavior, so that you can understand what constitutes as normal behavior, and to detect abnormal activity. That way, if an unusual action is made on a device or on a given network, such as an employee login late at night, inconsistent remote access, or an unusually high number of downloads, the action and user is given a risk score based on their activity, patterns, and time. That way anything unusual can be identified before malicious activity is made.

Having conducted incident response investigations across a wide range of industries, and with clients across the globe within the legal sector, SecurityHQ are best placed to work with legal firms, both large and small, and across numerous technical environments to reduce the impact of a cyber security incident. For more information on how to improve your security, or if you have a question about a service, speak to an expert here.