Traditionally, ransomware targeted organizations that handle critical services and infrastructure. Disruptions to their services can result in irreversible damage and affect a significant number of people, forcing victims to shell out money. However, ransomware attacks have now evolved into two-pronged operations. They not only encrypt your data but also threaten to share it on the internet if the ransom isn’t paid. This new approach only puts even more pressure on organizations, whose customer data and trade secrets are at stake. However, a ransomware attack recently hit a US-based law firm counselling Fortune 500 companies. Should other law firms also worry about ransomware?
But why would they target law firms?
Lawyers must have secure access to their case files. Theirs is a profession where court dates and legal deadlines demand prompt action. Further, sensitive information about corporate and private clients demands discretion. Ransomware gangs are well aware that these businesses have a low tolerance for downtime, eager to get operations back up and running as soon as possible.
Due to the nature of their business, law firms are becoming a more appealing target. Law firms and in-house legal teams acquire a lot of sensitive business information in the course of their diverse legal services.
Many legal companies fail to maintain regular backups and entrust unskilled staff members/ teams. Partners, attorneys, and other support staff are usually not well-versed/ trained in cybersecurity. Consequently, they are unable to respond promptly when files/ processes started behaving abnormally in case of a ransomware attack. By the time a proper incident response team get access to the infected systems, the ransomware encrypts most of the files.
The threat is even more imminent for small and midsize firms. As the Coveware report notes, ‘Professional Services’ businesses of these scales are targets of 24.9 per cent of ransomware attacks.
Where is it going wrong?
Most law firms are hampered in part by the small size of their cybersecurity budgets. On the other hand, they often seek to maximize profits and distribute earnings to partners at the end of the year. When it comes to distributions/ allocations, cybersecurity does not make the cut.
For smaller firms, they may not require security evaluations as frequently as bigger companies. Because attacks on smaller businesses seldom make the news, they sometimes get to wallow in anonymity.
In the case of a cyberattack, law firms must examine extra factors that are specific to their business. These include ethical obligations, legal responsibility, and attorney-client confidentiality. If they are hacked, law firms risk losing their reputation and earnings. Even their clients’ interests are at risk if the hackers choose to leak data.
Ransomware attacks are still on the rise, and law firms should be responsible for taking all suitable precautions to secure client data. Lawyers also have an ethical obligation to be knowledgeable in all elements of client representation, especially to keep all client information and records confidential.
Some Mitigating Strategies
Most law firms believe encrypting their data is adequate to safeguard them. While data encryption is a beneficial security measure, it may be a law firm’s worst nightmare if it occurs as a result of a ransomware attack. No lawyer should be in the position of having to decide whether or not to pay the people holding your firm’s/ client’s data for ransom. Also, there’s no guarantee of recovery even if the firm pays the ransom.
There’s also no disputing that even with preventive measures in place, ransomware may still infiltrate networks. As a result, staying one step ahead becomes critical. Prevention is always better than cure!
Here’s what law firms can do to maintain business continuity even in the face of a ransomware attack.
Risk assessment: Conducting a cybersecurity risk assessment to obtain comprehensive knowledge of your company’s information assets. This also uncovers critical security flaws that might jeopardise them. Some businesses opt to take it a step further and use penetration testing (i.e., controlled hacking) to find and fix network flaws.
Use standardised security frameworks: If you want to enhance security but aren’t sure where to begin, one option is to utilise the ISO/IEC 270001 framework. It will help establish a baseline for your firm, whether or not you want to pursue certification. The ISO/IEC 270001 standards can assist your company in identifying security flaws and developing necessary policies and procedures to defend against cyber threats.
Stay up to date: Allow automatic updates for software that support them, and check for updates on software that don’t. Keep in mind that your programme may approach end-of-life status, at which point it will no longer get updates. You must either upgrade to new software or replace your unsupported devices in these instances.
Use a password manager: Use a different password for each account. They should be complicated passwords or passphrases with multiple characters (numbers, uppercase letters, lowercase letters, and special characters are always included). Many businesses use password management software to make storing multiple complex passwords easy. This software generates strong passwords automatically and saves them securely.
Use 2-Factor Authentication: However, passwords are insufficient on their own. Ensure that all business apps support two-factor authentication (2FA). 2FA require secondary security measures such as a code sent to your mobile phone to authenticate account access. This is the single most effective technique to prevent hackers from breaching networks, taking over accounts, and eventually installing ransomware.
Don’t fall for phishing: All law firm workers must be aware of sophisticated phishing techniques. These target specific employees tricking them into opening a dangerous link, downloading a malware-laden file, or entering their credentials into a fake website. Conduct phishing tests to see how vulnerable your employees are to social engineering and phishing techniques. You can also read this guide, and keep clear of phishing hooks.
Buy cyber insurance: Finally, consider opting for cyber insurance. Organizations should check to see if their insurance covers ransom payments and, if so, how much. They’ll also require confirmation that the attackers aren’t faking an attack, that they have the data they claim to have, and that they can decode the damaged data.
Some Parting Advice
Law firms, unfortunately, are more vulnerable than other types of enterprises. According to a study issued in May by security firm BlueVoyant, a well-known aggregator of worldwide ransomware and cyber extortion data, 15% of a global sample of thousands of legal firms had evidence of infiltrated networks.
Free services like ID Ransomware and the No More Ransomware Project can also assist you. They figure out what sort of virus you’re dealing with and locate a decryption key that will allow you to remove the ransomware without paying the ransom.
Also, as soon as you realize that ransomware has infected a computer in your firm’s network, disconnect that computer from the network. Ransomware can move within a network, and may affect other computers on the network too.
Lastly, seek expert help. Data recovery/ forensic experts can help you recover your data, or help you get your operations up and running once again.
Do subscribe to our Telegram channel for more resources and discussions on tech-law. To receive weekly updates, don’t forget to subscribe to our Newsletter.