The ransomware risks to law firms and how to protect against them

Ransomware risks to law firms

Ransomware risks are the largest threat that faces law firms today.

Ransomware attacks have increased by 288% in 2021. And, Reuters doesn’t expect this to slow down any time soon – comically suggesting that “Like ‘Terminator’, high-tech cybercrime is expected to keep coming.”

Any business can become a target to cyber criminals, but law firms are one of the top targets globally. Even a listed UK Law firm was hit by cyber-security a incident this year. It’s obvious that law firms are lucrative and have access to money, so they are often able to pay a ransom where other types of businesses might not.

However, cash flow is not the only reason firms become a target. Law firms have many interaction points and are in effect a service business – service businesses live and die by their reputation. That’s why they are a prime target.

 

Ransomware risks to law firms: why are they a great target for Ransomware attacks?

They have some great data, and that fits with the Ransomware business model. Ransomware is a revenue generator for cybercriminals. Ransomware encrypts your practice’s electronic data, and takes a copy of the data, which can then be:

  • Sold to other cybercriminals
  • Held to ransom over public release of sensitive information
  • Assumes control of your social media and broadcasts your data and failings
  • Sell the exploit details to another cybercriminal
  • Use the same exploit again and ask for another ransom

 

Are law firms financially protected from cyber-attacks?

Typically, a paid ransom will be reimbursed by Insurance, but of course only if the right controls are in place from a cyber-security / risk perspective in the first instance.

Many firms think they are protected financially by simply having insurance in place to reimburse a ransom payment. However, if there isn’t the right security in place, then insurance won’t pay out.

 

Money isn’t the only loss a firm faces when hit

Greater threats are posed, here are some other ransomware risks to law firms.

Some ransom groups will demand a ransom, but that will only be after they’ve posted all of the firm’s sensitive data, and client data onto the dark web.

The firm may be able to get operational again, but the real damage goes beyond that, as their client’s data is in effect spread globally for anyone to access. It’s easy to see that the ransom payment is just a fraction of the real cost a firm could face.

A breach means letting clients know their data is ‘in the wild’, that other parties can access it and can, in effect, use that information to do much greater damage. That’s big, it will seriously hurt the firm and all those they work with.

Regulators want to try to compound that damage. A firm is now looking at huge fines from the regulators, such as the ICO and the SRA. It’s a horrible place to be, hence the focus from those in the global ransomware business, which is now bigger than the drugs trade (the global cybercrime economy generates over $1.5 trillion).

This year 4 New Square Chambers took an unusual approach this year after they were attacked mid-June. For damage limitation purposes they took out a court order demanding the criminals not to share the stolen data. The mystery hackers were ordered to hand over any information they may have obtained by 27 September 2021 or face possible contempt of court proceedings – but only time will tell how well this has worked.

 

Risk and IT security are not separate entities

Too many in the legal industry view the ransomware risks to law firms and IT security as separate entities. They simply put being secure from a cyber perspective and all those risks down to the IT team. That’s just not going to wash with regulators, clients and very likely the media. Risk is a board responsibility/accountability, not IT’s.

Of course, the IT team plays it part. However, like every important functional operation in a firm, you need governance. The whole firm needs to be aware of its role in controlling risk, especially as most IT breaches come from an employee doing something they shouldn’t. The biggest threat to a firm’s security is more often that not going to come from something simple such as someone unsuspectingly clicking a link or giving information out over a phone.

 

IT can only so go far

New and emerging threats are often targeted at the end-user sat at their laptop or on their phone. Sure, technology has its risks, such as unpatched software or a lost laptop, but people are always the weakest link. Although employees pose one of the largest risks with one of the biggest impacts, the threats are of course much wider.

The other big risk is vulnerabilities within IT systems that face the Internet, both those run internally and through third parties, such as a website host, an IT supplier, or some form of partner organisation that links into a firm’s systems. Every link into a firm is risk. they need to be evaluated and tested. A firm should certainly penetration test their own systems, but they should also look at those they interface with, to ensure they also deal with their part of the wider risk piece.

 

So, how can the ransomware risks to law firms be avoided?

There are most certainly the basics that should be dealt with, especially where ransomware is concerned, such as:

Have you got an air gap in your backups?

Ransomware attackers want to encrypt your data. That may take you down for a few days. However, if your backups are also on the same network as your data they will be looking to ensure they are also encrypted. That leaves a firm dead in the water with no chance of recovery.

Do you have a rigid patch management policy?

Many businesses patch once a week, many once a month. That’s not enough. The IT team needs to be continually aware of brand new threats and needs to deal with them quickly, or they need to rely on a specialist IT security partner to deal with it.

Do you use a VPN to protect endpoints on public networks?

Too many firms allow their staff to connect at home or in other locations, such as hotels, over unprotected networks. That’s a risk that needs to be controlled via a VPN.

Do you consistently train and test your users how to spot suspicious email or call?

Again, staff are the weakest link and need to be able to spot suspicious behaviours online.

Do you control USB ports to ensure non-approved storage devices can’t be installed?

You can’t allow staff to plug anything into a work machine or a machine that accesses work machines without controls in place. For example, a Rubber Ducky Attack cyberattack, where a custom USB device emulates a USB keyboard to attack a workstation.

Do you have an email security protection system in place?

You do need an advanced email security protection system in place that checks both links in email and the attachments. You can’t generally rely on email provider systems, not even Microsoft’s.

Do you have next generation antivirus in place?

Traditional antivirus systems aren’t enough to protect against ransomware. Once they’ve detected it with a scan it’s too late. You need NGAV (Next Generation AntiVirus) which can spot ransomware before it does its damage.

Do you have 2-factor authentication in place?

This is probably one of the biggest protections against ransomware available. A third party can steal a password, but they cannot get access to systems without a known device.

Do you have a SIEM and a 24x7x365 SOC?

A SIEM is a Security Information and Event Management system. A SOC is a Security Operations Centre. If you’ve done the other points, then you need a system that looks for suspicious behaviour (a SIEM looks for it) and a team that can take that alert and respond (a SOC). These systems can be expensive, so you need to really make a judged call on how far you should go.

So how do you decide how far you take your IT security?

Well, first you really need to understand the all the risks you face. You need to understand what the likelihood of those risks being exploited, and you need to understand the likelihood of it happening. How do you do that?

You need a system, you need a framework. Too many firms think they have Cyber Essentials so they are secure. That’s not the case. Cyber Essentials is the very basic and doesn’t make you secure, especially not from the ransomware risks to law firms.

Have a plan for resiliency.

The only way a firm, particularly the leadership, can get a grip on IT security is to work to a governance level – to implement an Information Security Management System (ISMS). If you have an ISMS you are doing the right thing from a leadership perspective. You can know your risks, you know the controls of those risks and you can make a call on what you need and want to do – based on real knowledge.

An ISMS, such as ISO 27001 will give you complete knowledge of your risks and how you deal with them. It will also let you manage all of your suppliers and third parties, ensuring they don’t pose a risk you are unaware of.

At Quostar we have a process called “Chain of Resiliency” which highlights the weakest links in your critical systems whether cloud or traditional server-based. This is so you can estimate the cost of lack of resiliency per system appropriate to your law firm, and do a cost-benefit realisation.

 

In short, a strong Executive action plan will:

  • Copy what the big tech companies do.
  • Enforce Backup and restore process (The important bit is the restore)
  • Implement an Information Security Management System (ISMS)
  • Use risk as a management tool not as a list
  • Implement Governance over risks with key stakeholders
  • Follow best practice

 

If you’d like any advice from our CISO on your firms cyber security set up get in touch today.

LIVE WEBINAR | IT Strategy for Law Firms

Please enter your details to access the webinar password



In an increasingly competitive marketplace, law firms are under pressure to continually improve their operations and deliver an enhanced experience for clients. While firms can leverage technology to do this, it’s vital that they are investing wisely, intentionally and with purpose – especially given the current commercial landscape of the Covid-19 pandemic.

Before responding to requests for new tech or cutting edge IT solutions, law firm business and IT leaders must understand and plan for change. There must be an IT strategy in place, which aligns with the business’s direction and overall growth strategy, which will enable strategic decision making

In this webinar, Chris White, Head of Consultancy, and Robert Rutherford, Chief Executive Officer, will give an introduction to IT strategy for law firms. They will discuss the strategic importance of IT for law firms and how they should organise it.

WEBINAR AGENDA
  • The role of IT in law firms
  • The strategic importance of IT in law firms
  • How mid-sized firms typically organise their IT
  • Challenges facing firms and their IT teams
  • Trends in legal IT
  • Summary
  • Q&A

Free Workshop: Book a free one-to-one strategy session with a senior IT consultant. A one hour, one-to-one workship with a senior member of our IT consultancy team to answer your key strategy questions and kick start your planning

Cyber-security advice for law firms preparing for GDPR

cyber-security advice for law firms preparing for gdpr

With less than 10 months to go until the General Data Protection Regulation (GDPR) officially comes into force firms should certainly be starting their preparations to ensure they meet compliance requirements as soon as possible – if they haven’t already begun.

The implementation of GDPR is likely to have far-reaching consequences. It will standardise data protection regulations across Europe and introduce strict financial penalties for those who do not comply. Far greater than any which we have seen before. For law firms who are responsible for a wealth of sensitive client data, such as those who handle high net worth individuals or who share personal data with third parties under lasting powers of attorney, this is likely to be a challenging time as they strive to get ready for the new restrictions enforced by the GDPR.

However, GDPR is not just another tick-box exercise which can be set aside once compliance is achieved. Not only are there actions firms will need to carry out regularly to ensure they remain in line, there are also future risks to consider. The cyber security landscape is ever-changing and the risks are only increasing, as demonstrated by the global WannaCry and “Petya” attacks earlier this year. As GDPR further widens the definition of personal data and places an even greater monetary value upon it, this makes it an even more attractive target for cybercriminals and, by extension, potentially increases the risk of cyberattacks against law firms.

The future for law firms

You can certainly expect to see indemnity insurance premiums ramp up considerably, as potential compliance-related fines go from tens of thousands of pounds into potentially millions. The penalties for data breaches are going to be high. Fines for non-compliance will reach €20 million or 4% of global turnover, whichever is greater.

Traditionally firms may have tried to kept any data breaches under wraps, however now with GDPR they will have to report the breach to the Information Commissioner’s Office (ICO) or the relevant supervisory authority (for example if the breach occurred outside of the UK), as well as notifying those individuals who have been affected. Under GDPR firms must report the data breach within 72 hours of discovery, and failure to do so will lead to significant fines on top of any applicable fines for the breach. As data is often stolen during a breach this could have a significant reputational impact, along with compensation claims from those affected. Hackers could also use that stolen data to hold the firm to ransom.

GDPR will further fuel the rise of ransomware attacks as the impact to the target is now so much greater. Right now, and previously, attacks were mainly an inconvenience for the majority, you typically reverted to the last backup. It would be painful but the damage was often contained. With the GDPR, the impact will be higher as the party held to ransom will want more than just the return of their data. They will want to prevent that data from being leaked due to the potential fines. It’s common for ransomware creators to now build in “datanapping” technologies that steal information before locking a business out. With the introduction of GDPR, “datanapping” will be just as effective as the traditional encryption payload incorporated into ransomware.

Phishing attacks are also likely to increase. I would expect to see the complexity and sophistication of these attacks to increase, alongside the rise in ransomware. The potential earning for the fraudsters has now begun a “global arms race”. Initially, attacks have been widespread and not necessarily focused on the legal market. However, a number of significant breaches alongside their reluctance to invest in appropriate security by large swathes of small and mid-market firms will make these organisations an attractive target.

The risks to law firms are real and should be addressed through a standard risk register, with applicable controls applied. In reality, many firms will need to invest in improving their security systems, alongside ensuring they are compliant with GDPR. This is completely essential and cannot be ignored, some firms are simply fortunate that they haven’t been breached. At the end of the day if there is a risk of burglaries it makes sense to put in an alarm.

Robert Rutherford, CEO of QuoStar

How to increase security & better protect your insurance firm

IT security - How insurance firms can increase their cyber-security

In recent years insurance firms have been targeted by numerous cyber attacks, both internal and external, including those by disgruntled former employees and organised cybercriminals. With the UK insurance industry alone managing investments of £1.9 trillion it is no surprise these firms are such an attractive target. Not only do these firms have a lot of capital funds on their systems at any one time, but they also have access to a wealth of customer data – the perfect tool for hackers to use for blackmail or to release to the public with the intent of causing reputational damage.

How do cybercriminal target insurance firms?

Gone are the days when individuals just hacked for “fun” or to prove that they could access a company’s system. Now their motives are far more calculated. This, in turn, has also changed the method of attack. Cyber attacks are rapidly becoming more sophisticated and for the hacker who is willing to be patient and clever the rewards stand to be substantial, whether that’s financial gain or the potential to damage – in some cases irreparably – a firm’s identity and reputation.

While insurance firms can be exploited through software vulnerabilities, social engineering is another popular tactic for many hackers. It essentially involves using tricks or tactics to gain information from legitimate users of a system in order to gain unauthorised access, without having to break in. Examples include calling targeting employees pretending to be from IT or maintenance, and requesting login details in order to “fix a problem”. As this can be a common helpdesk request some users may respond, which highlights the need for continual end-user training. Employees are often a firm’s first line of defence and, as such, must be able to recognise any red flags – such as suspicious emails or calls – and understand the appropriate escalation process.

How can insurance firms protect themselves?

When it comes to determining a security strategy, and overall IT strategy, the insurance sector faces pressure from multiple angles. The sector faces additional regulatory burdens, in comparison to some other sectors. They are also under continual pressure, from a technical aspect, to modernise their systems to ensure customer data is highly secure. Yet this data still remains accessible for review and processing.

These pressures combined can result in increased overheads and reduced margins, which can lead to decreased technical investment. However, when it comes to cybersecurity, technology should actually be the last piece of the puzzle.

Determining a security strategy should really begin with a firm understanding what their assets are, and then assessing them to determine potential risks. A reliable starting point is the ISO 27001 standard. This is a global accreditation which essentially covers best practice in regards to information security. It helps firms manage security by reviewing assets, assigning controls and monitoring processes.

Education will always be a key element of any security strategy. Social engineering is developing at a rapid pace and employees remain vulnerable as these attacks essentially manipulate trust. A comprehensive security policy should cover basic elements such as password strength, disclosing confidential information and physical security. You should then share the policy with the whole company. A security-aware culture will mean that potential threats will flag up with employees, who can then make the correct decisions. Even when the request seems genuine.

Recent high-profile breaches must serve as a warning that they are a prominent target for cybercriminals. This is likely to continue, if not increase. Taking steps to protect customer and financial data will protect your brand reputation and profitability. Therefore it makes sense to implement policies and systems to secure your business and review these regularly. The consequences of failure can be devastating, or even fatal, so cybersecurity must be a priority.

NEXT>> What is malware?

In the press: Top tips for insurers to improve cybersecurity

Originally published in Life Insurance International

Hacking is becoming a relatively effortless procedure, and this is a major concern for many businesses.

Insurance firms, in particular, can potentially be a greater target for cybercriminals. This is due to a large number of capital funds on their systems and the wealth of customer information they hold.how can insurance firms improve cybersecurity According to recent surveys, the Financial Services sector suffered 6.3 million cyber attacks in the last year alone.

Recent high profile cyber-attacks and the increasing number of them serve as a warning to insurance firms that cyber attacks are growing more sophisticated and that cybercriminals can get past some of the most protected systems.

QuoStar CEO Robert Rutherford explains the two main breach methods insurance firms are susceptible to. As well as several simple ways they can improve cybersecurity to better protect their firm, their reputation and their clients.

Read the article in full on Life Insurance International

In the press: Cybersecurity best practice for insurers

As the British Insurance Brokers Association (BIBA) announce the launch of a cyber committee dedicated to helping the insurance sector as how to create a successful security strategy for your insurance companya whole tackle the increasing numbers of security breaches, Robert Rutherford shares his insights on how life and health insurance providers can create a successful cybersecurity strategy that will protect their business and confidential data.

Rutherford, CEO of IT Support and consultancy firm QuoStar, says hackers are capitalising on the dated technology and legacy systems. An issue that has plagued the insurance industry for decades. However, there’s no need for insurers to revamp their entire IT systems to implement a successful cybersecurity strategy. In fact, technology is the last piece of the “cyber puzzle”.

Click here to read the article in full on Life Insurance International

In the press: IT is a tier one investment for law firms

The start of the new financial year means that every department is battling for a “piece of the pie” as budget allocation gets underway. Staff bonuses, business development and branding are often top priorities for available budget. This leaves the IT department with little investment to cope with the security threats aimed at the legal sector. why should law firms invest in IT?

QuoStar CEO Robert Rutherford says that firms should really consider IT a tier one investment, not an “afterthought”. One of the reasons is that law firms are an attractive target for hackers is partly due to the financial transactions they carry out. A serious breach will not only impact on revenue but will be a big blow to reputation. For some firms…

Read the article in full on Legal IT Insider

 

In the press: Panama Papers leak a security “wake up call”

panama papers leak a security wake up call

In the wake of the Panama Papers data leak, security experts are once again calling for the c-suite and senior leadership to better understand cybersecurity requirements, strategy and technology.

The data leak released 11.5 million files and 2.6 terabytes of information from the internal database of Panamanian law firm Mossack Fonseca. The documents include shareholder registers, emails and bank statements, and reveal the ways wealthy individuals can exploit offshore tax regimes. Six members of the House of Lords and dozens of political donors are among those with offshore assets.

The implications of the Panama Papers are far-reaching – not only for those involved. It should provide a “wake-up call” to companies of all sizes and sectors.

Security professionals, including Robert Rutherford, CEO of QuoStar, have reiterated that no company is immune to an attack and there are many points to consider when it comes to effective cybersecurity.

Click here to read the article in full on Computer Business Review

In the press: Stay safe – Cybercrime in conveyancing

Robert Rutherford, CEO of QuoStar, and Nigel Smith, Managing Partner of Ellis Jones, outline how to protect both firms and clients from scam emails during conveyancing.

“The rise in targeted email attacks against solicitors and their clients continues to dominate the headlines, with one couple recently losing a £45,000 deposit after succumbing to an email from a hacker claiming to be their solicitor. These attacks are clearly dangerous in their current form, but the increased frequency and intelligence behind the attacks means that solicitors will need to become increasingly vigilant in this area, not only for their clients but for the sake of their reputation as well.”

Click here to read the Cybercrime in Conveyancing article in full

 

 

This article was originally published in Property Law Journal (February 2016) and is also available at www.lawjournals.co.uk

When will the legal sector go lean?

IT strategy - When will the legal sector go lean?

As we all know, the legal sector is changing and changing fast. Several emerging challenges in the sector are driving this change, namely: globalisation, shrinking margins and innovation. But whilst change can be uncomfortable, failing to adapt means you die.

This may seem like a scary prospect (and it is) but the legal sector has the advantage of not being the first to go through these challenges. The world of manufacturing has suffered from the exact same problems of globalisation, shrinking margins and innovation and what separated the winners from the losers in that sector was their ability to leverage a set of principles known as Lean.

Manufacturers who both used technology to provide a competitive advantage and understood and implemented the principles of Lean become experts at adjusting to rapid change – something that law firms have traditionally resisted. However, as the pace of change increases in the legal sector, it’s something you will need to start doing.

So, to keep you interested, how will Lean help your legal firm? In short, you’d use proven business tools and strategies to allow you to survive and thrive in shifting sands, by:

  • Lowering overheads
  • Improving delivery times
  • Increasing client satisfaction
  • Pricing work more accurately
  • Freeing up resources across your firm
  • Making lawyers more efficient
  • Improving margins!

What is Lean?

Lean was born in manufacturing and was originally developed and used by Toyota engineers in the ’40s. Now, as you’d expect with continual improvement Lean has changed and matured. Generally, today when most people talk about Lean they are talking about Lean Six Sigma. This process was developed by Motorola in the late ’80s and is still widely used by all sectors, from finance through to retail. You’ll know that it’s not common in the legal space, very bizarre.

In short, Lean was born for the ‘systematic’ elimination of waste (“known as Muda”) in a process. Lean also seeks to identify and eliminate waste through overburden (“Muri”) and waste created through unevenness (varying) workloads. There is also a focus on the client who consumes a particular product or service around “value”. So it’s about reducing waste internally and increasing value for the client.

Here are some examples of how waste elimination can work in relation to Lean Six Sigma in a law firm. This can easily be remembered with the acronym: DOWNTIME

Now, if the potential here isn’t exciting you, you may be in trouble. If you also think you are already all over these elements, then I’ll almost guarantee that you aren’t. There is always room for improvement, everything can be improved. It’s about prioritisation. Prioritising what improvements deliver the greatest gain to the firm and ultimately the client. I’m a big believer in win-win relationships and that means the client has to be your partner, not simply a bill payer.

How does lean deliver improvements?

Lean uses the acronym DMAIC to structure improvement, generally continuous improvement, which is of course absolutely essential in a law firm in this day and age. DMAIC is always applied in the order shown below and stands for:

Define

  • Identify the business/process issue
  • Record the requirements of the client and the firm
  • Finalise the project focus
  • Define the project scope

Measure

  • Collect the required business data
  • Determine the performance of the process
  • Clarify the business opportunity
  • Identify quick wins where possible

Analyse

  • Undertake root cause analysis
  • Quantify the opportunity for gain
  • Prioritise root causes

Improve

  • Understand and develop potential solutions
  • Develop and select evaluation method and criteria
  • Evaluate risks
  • Optimise solution

Control

  • Monitor and adjust
  • Ensure desired gains are delivered and sustained
  • Standardise gains through standardisation

The above obviously goes around and around in a continual cycle. It’s surprising how many firms don’t have live documented processes and procedures. If you don’t have SOP (Standard Operating Procedures) then you are going to have to start. If you don’t have processes defined, how can you evaluate them and improve them?

Why is Lean particularly relevant in law firms?

This is the biggest issue – legal firms, in essence, are simply a business, predominately a service business and a consulting firm. Individually, they aren’t particularly different in what they do (although the individuals inside a firm of course have their specialisms). This means that a client choosing between one firm which hasn’t adopted Lean and still has a lot of waste (and thus, higher costs) and another firm that has adopted Lean, the client will choose the Lean firm every time.

A significant number of law firms have been way behind the curve in innovation for a long time and some who believe they are innovative are not. Not when you look at the advanced systems, processes and structures in other sectors. To begin making some real forward change, law firms need to start at the beginning and audit their existing systems to identify waste.

For Lean to be effective, firm leadership must embrace the principles. You can’t delegate and forget – leadership must be responsible, passionate and championing the reduction of waste and continual improvement in a firm. If you don’t do this then your competition will be, or an entity that isn’t even a competitor right now will be. Change in the legal sector isn’t a threat to those who embrace Lean – it’s an enormous opportunity and one you’re missing out on right now.

Robert Rutherford – CEO of QuoStar

Discover how to reduce IT costs and get a better return from your spend. Click here to find out more about QuoStar's Cost Recovery and Value Enhancement Audit