The UK’s National Cyber Security Centre (NCSC) recently released a threat report warning the legal sector about the increasing number of ransomware attacks targeting law firms. These attacks pose a significant risk to the sensitive information of clients, and it is crucial for the legal sector to take cybersecurity seriously.
According to the NCSC’s report, threat actors targeting the legal sector range from petty cybercriminals using off-the-shelf ransomware tools to nation-state actors supported by countries like China, Iran, North Korea, and Russia. The report revealed that nearly 75% of the UK’s top 100 law firms have experienced cyberattacks.
Attorney and cybersecurity expert Jonathan Gallo stated that law firms are attractive targets for cyber attackers because they hold not only personal information but also sensitive corporate data, trade secrets, and other valuable information. In addition to the potential damage caused by data exposure, lawyers also have an ethical obligation to protect their client’s secrets, which means that their personal and professional reputations are at stake.
Recent incidents have highlighted the severity of the ransomware threat to law firms. One such example is the cyber attack on snack food conglomerate Mondelez, which compromised the personal data of 51,000 current and former employees. Mondelez’s law firm, Bryan Cave Leighton Paisner, was targeted in this attack. Another instance involves Genova Burns LLC, a law firm in Newark, NJ, that confirmed a breach resulting in the compromise of personal information of an unknown number of Uber drivers. Furthermore, HWL Elsworth, Australia’s largest legal partnership, experienced a breach by Russian-backed ALPHV/Blackcat, potentially compromising sensitive information from dozens of government agencies.
The reputational damage that can occur as a result of these attacks is significant, given that many law firms have a high profile. Christine Gadsby, Vice President of Product Security at BlackBerry, explained that law firms are attractive targets for follow-on supply chain attacks. These attacks can be highly destructive, as law firms are often connected to other targets such as partners or clients, making them an appealing point of entry for threat actors.
However, despite the increasing threat of ransomware attacks, a survey conducted by PriceWaterHouseCoopers revealed that the top 100 law firms in the UK spend less than 1% (0.46%) of their fee income on cybersecurity. Many IT leaders in the legal sector feel overwhelmed by the amount of work required to establish internal security operations, and 80% consider such programs to be too expensive.
Experts recommend several measures to secure law firm data from ransomware attacks. Dan Trauner, Senior Director of Security with Axonius, suggests that organizations with limited budgets should prioritize the defense of their most sensitive data first. This can be achieved through basic cyber hygiene practices such as enabling multi-factor authentication, installing software updates, and maintaining a cautious approach to unsolicited communications.
Drew Schmitt from the GuidePoint Research and Intelligence Team emphasizes the importance of basic information security practices, including patching, endpoint detection and response, and incident response planning. Schmitt also suggests implementing data classification processes and technology to secure sensitive data and prevent unauthorized access.
Additionally, experts agree that cyber insurance coverage is crucial for law firms. Beyond covering financial losses, insurance carriers can offer expertise in managing a cyber incident response. Obtaining cyber insurance is advisable, as such policies often provide access to resources like cyber breach lawyers and incident response teams.
In the event of a breach, Gallo advises law firms to contact their cyber insurance carrier as soon as possible. It is essential for firms to have a comprehensive breach response plan in place, which includes identifying the resources that will be utilized, such as cyber breach lawyers, incident response teams, and communication/public relations firms. By preparing in advance, law firms can respond more efficiently and effectively to cybersecurity incidents.
Ultimately, the legal sector must recognize the seriousness of the ransomware threat they face. They need to prioritize cybersecurity measures and allocate sufficient resources to protect their clients’ sensitive information. By taking proactive steps to secure data and having a robust incident response plan in place, law firms can mitigate the risks posed by ransomware attacks and protect both their reputation and their clients.