Ride the Lightning

Cyberattacks: Law Firms are Taking a Beating

June 29, 2023

Dark Reading reported on June 26 that “it’s open season on law firms for ransomware and cyberattacks.”

I agree – and while I’ve been focused largely on the increase of successful U.S. law firm cyberattacks during 2023, our friends across the pond have their hands full too.

In fact, the UK’s National Cyber Security Centre (NCSC) released a threat report last week. Basically, the report underscored the increasing number of ransomware and other cyberattacks, endangering the security of law firm data. It also advised law firms to shore up their defenses.

Thus far, the NCSC’s advice has fallen largely on deaf ears.

While there are plenty of run-of-the-mill attacks by individuals, there are also sophisticated attacks by nation-state actors who have the backing of China, Iran, North Korea, and Russia, according to the recent cyber threat report for the UK legal sector published by the NCSC. It reported that nearly 75% of the UK’s top 100 law firms have been affected by cyberattacks.

Read that last sentence again. I think the percentage of American law firms affected by cyberattacks is much the same.

“In addition to possessing personal information about their employees, law firms possess significant amounts of sensitive information concerning their clients,” attorney and cybersecurity expert Jonathan Gallo of Woods, Rogers, Vandeventer, Black PLC has said about why cyberattackers are drawn to the legal sector. “This can include not only personal information, but other sensitive information such as sensitive corporate information, trade secrets, merger and acquisition information, medical records, and other information.”

Gallo notes that, in addition to the sensitive data held by law firms, and the risk of significant damage if that data is compromised, attorneys have an ethical obligation to protect their client data. Failure to do so may add personal and professional reputational damage to the mix.

In the first two months of 2023, 10 cyberattacks were launched against six different law firms, according to findings from eSentire’s Threat Response Team.

With all the ransomware cyberattacks (and other attacks), PriceWaterHouseCoopers Annual Law Firms Survey cited by the UK cybersecurity regulators reported that the top 100 law firms spent less than 1% (just 0.46%) of their fee income on cybersecurity.

64% of IT leaders in the legal sector interviewed by BlackBerry research were daunted by the amount of work necessary to build their own internal security operations and 80% said a program would be too expensive. Not as expensive as a data breach, in my opinion!

For organizations with a limited budget, cybersecurity starts with identifying the organization’s most sensitive “crown jewels” and working on defending those first according to Dan Trauner, senior director of security with Axonius.

“With that in mind, even if a smaller company’s IT/security budget is low, routinely encouraging (and ideally auditing) the same basic cyber-hygiene tips given to consumers — enable MFA, install available software updates, and be ‘politely paranoid’ in the face of unsolicited communication — will go a long way towards reducing risk even before these items are centrally managed with enterprise tooling,” Trauner says.

Drew Schmitt with the GuidePoint Research and Intelligence Team notes that cybersecurity for the legal sector starts with basic information security best practices including patching, endpoint detection and response (EDR), having security information and event management (SIEM) tools in place, in addition to incident response planning, and more.

“Having specific measures focused on sensitive data protection is a great step towards being proactive in mitigating risk associated with data exfiltration of sensitive and proprietary data,” Schmitt says. “Implementing data classification processes and technology focused on securing and preventing unauthorized access and interaction with sensitive data will help reduce the risk of a compromised account being able to exfiltrate data from the environment for extortion and/or sale on the Dark Web.”

No one likes having to pay for cyberinsurance, but most experts agree that it is critical for law firms. Besides covering losses, insurance carriers can provide expertise in running a cyber incident response.

“Firms who have not already done so should seriously consider obtaining cyber insurance,” Gallo says. “Often, cyber insurance policies provide resources such as cyber-breach lawyers and incident response teams for the insured as part of the policy.”

Our advice varies slightly from Gallo, who recommends calling your cyberinsurance carrier first in the event of a cyberattack. We recommend calling a data breach lawyer first and foremost – and Gallo would be a very good choice!

And don’t forget that incident response plan – too many law firms don’t have them!

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email:  Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson