Why Are Law Firms Being Targeted by Cybercriminals?

David Ford

Founder

News of another successful cyber-attack in the legal sector, this time on listed law firm Gateley plc, again highlights the risks faced by all businesses, particularly those holding large quantities of sensitive client data.

The cyber-attack on Gateley, discovered quickly by the firm’s in-house IT team, saw only a small amount of client data stolen before it was traced and deleted from the location to which it had been downloaded.

However, although the result could have been much worse, the fact that the firm has to inform all its clients what has happened and whether their sensitive data has been compromised highlights the potential risk of reputational damage for law firms suffering attack and loss.

This is only the latest in high-profile cyber-attacks affecting law firms. Earlier this year, global giant Jones Day that had gigabytes of sensitive client data stolen and made available to journalists. However, the loss was reportedly part of a more extensive hack on file-sharing service provider Accellion.

Recognising the Opportunity

There remains an ongoing debate about the origin of most cyber-attacks. Still, whether it’s organised crime gangs, government-sponsored foreign actors, or lone-wolf hackers, there is little doubt that the pandemic has witnessed a significant increase in activity, particularly against law firms.

Whilst hacks on big law firms are headline news, all firms are targets for criminals because of the nature of their business. The confidential client data gathered during corporate transactions and the sensitive data retained following family law and private client work are valuable targets for criminals.

Law firms not only risk financial loss through compromised funds transfers or having to pay a ransom to buy a decryption key, but the risk of reputational damage is likely to ensure they meet the hacker’s demands to keep their legal business alive.

While big firms will attract more attacks, they are also likely to have the best defences. With cyber-security as a board-level concern, criminals undoubtedly turn their attention to smaller firms, which often lack the specialist expertise to prevent a sophisticated attack.

In October 2020, a report from the American Bar Association, the largest voluntary association of lawyers globally, found that 29% of US law firms reported a security breach. Over 20% were unsure if they had been breached, with 36% reporting past malware infections.

Of course, the accurate picture could be worse, as many firms will be reluctant to report attacks, successful or otherwise, for fear of damaging their reputation in the eyes of their clients—bear in mind that Gateley’s share value dropped around 8% following news of the breach.

Considerations When Facing Cyber-Attacks

Cyber-attacks come in many forms, and although ransomware attacks have recently made headlines, many others will be equally damaging to law firms due to the potential loss of sensitive client data.

Some of the most damaging attacks involve an undiscovered breach, such as the 2020 SolarWinds hack. This attack allowed hackers to spend months exploring numerous U.S. government networks and private companies’ systems worldwide before the breach was discovered.

This is why finding potential weaknesses in organisations’ systems before the hackers target them is the best first step beyond existing anti-virus and firewall measures. This should include testing staff to ensure they understand their responsibilities in preventing a successful attack, which will typically fall into one of the more popular categories:

– Phishing: Criminals use emails to target large numbers of organisations with generic attacks attempting to obtain sensitive information or gain access to client funds by pretending to be a trusted known source.

– Spear-phishing: Fraudulent emails appear from an individual or business known to a specific target organisation, designed to infect devices with malware or persuade victims to hand over information or money.

– Ransomware: This attack targets computers and smartphones, encrypting the devices until a ransom has been paid. The attacks typically spread via unsolicited emails, with employees clicking on genuine-looking links.

Websites: Recognising more than half of all legitimate websites have unpatched vulnerabilities thanks to administrators failing to secure them fully, cyber criminals exploit these vulnerabilities to infect users of the site.

This is a quick overview of attack types and a subject we will cover in more detail in subsequent articles, as attack vectors constantly change. Defeating criminals is a challenging test for any in-house IT team without specialist support, and that’s where we come in.

After testing for weaknesses, several valuable cyber security measures can be deployed, such as enabling two-factor authentication, backing up data, and ensuring software is patched and maintained. Training employees on best security practices is also critical.

Each attack vector commonly used by criminals will require different preventative measures, which is why a single comprehensive solution makes life simpler for those firms that recognise that multi-vendor solutions can fail when they become too complicated to integrate successfully.

Again, we will cover the most valuable actions in a series of blogs on the topic. 

Share

The cyber-attack on Gateley, discovered quickly by the firm’s in-house IT team, saw only a small amount of client data stolen before it was traced and deleted from the location to which it had been downloaded.

However, although the result could have been much worse, the fact that the firm has to inform all its clients what has happened and whether their sensitive data has been compromised highlights the potential risk of reputational damage for law firms suffering attack and loss.

This is only the latest in high-profile cyber-attacks affecting law firms. Earlier this year, global giant Jones Day that had gigabytes of sensitive client data stolen and made available to journalists. However, the loss was reportedly part of a more extensive hack on file-sharing service provider Accellion.

Recognising the Opportunity

There remains an ongoing debate about the origin of most cyber-attacks. Still, whether it’s organised crime gangs, government-sponsored foreign actors, or lone-wolf hackers, there is little doubt that the pandemic has witnessed a significant increase in activity, particularly against law firms.

Whilst hacks on big law firms are headline news, all firms are targets for criminals because of the nature of their business. The confidential client data gathered during corporate transactions and the sensitive data retained following family law and private client work are valuable targets for criminals.

Law firms not only risk financial loss through compromised funds transfers or having to pay a ransom to buy a decryption key, but the risk of reputational damage is likely to ensure they meet the hacker’s demands to keep their legal business alive.

While big firms will attract more attacks, they are also likely to have the best defences. With cyber-security as a board-level concern, criminals undoubtedly turn their attention to smaller firms, which often lack the specialist expertise to prevent a sophisticated attack.

In October 2020, a report from the American Bar Association, the largest voluntary association of lawyers globally, found that 29% of US law firms reported a security breach. Over 20% were unsure if they had been breached, with 36% reporting past malware infections.

Of course, the accurate picture could be worse, as many firms will be reluctant to report attacks, successful or otherwise, for fear of damaging their reputation in the eyes of their clients—bear in mind that Gateley’s share value dropped around 8% following news of the breach.

Considerations When Facing Cyber-Attacks

Cyber-attacks come in many forms, and although ransomware attacks have recently made headlines, many others will be equally damaging to law firms due to the potential loss of sensitive client data.

Some of the most damaging attacks involve an undiscovered breach, such as the 2020 SolarWinds hack. This attack allowed hackers to spend months exploring numerous U.S. government networks and private companies’ systems worldwide before the breach was discovered.

This is why finding potential weaknesses in organisations’ systems before the hackers target them is the best first step beyond existing anti-virus and firewall measures. This should include testing staff to ensure they understand their responsibilities in preventing a successful attack, which will typically fall into one of the more popular categories:

– Phishing: Criminals use emails to target large numbers of organisations with generic attacks attempting to obtain sensitive information or gain access to client funds by pretending to be a trusted known source.

– Spear-phishing: Fraudulent emails appear from an individual or business known to a specific target organisation, designed to infect devices with malware or persuade victims to hand over information or money.

– Ransomware: This attack targets computers and smartphones, encrypting the devices until a ransom has been paid. The attacks typically spread via unsolicited emails, with employees clicking on genuine-looking links.

Websites: Recognising more than half of all legitimate websites have unpatched vulnerabilities thanks to administrators failing to secure them fully, cyber criminals exploit these vulnerabilities to infect users of the site.

This is a quick overview of attack types and a subject we will cover in more detail in subsequent articles, as attack vectors constantly change. Defeating criminals is a challenging test for any in-house IT team without specialist support, and that’s where we come in.

After testing for weaknesses, several valuable cyber security measures can be deployed, such as enabling two-factor authentication, backing up data, and ensuring software is patched and maintained. Training employees on best security practices is also critical.

Each attack vector commonly used by criminals will require different preventative measures, which is why a single comprehensive solution makes life simpler for those firms that recognise that multi-vendor solutions can fail when they become too complicated to integrate successfully.

Again, we will cover the most valuable actions in a series of blogs on the topic. 

Share