Why the Legal Sector is Under Cyber Siege

Large quantities of sensitive data coupled with chronic under-investment in security have made the legal sector a prime target for cyber criminals. Kate O’Flaherty investigates

More than 500 UK legal firms have reported cybersecurity incidents since 2019, according to data from the Information Commissioner’s Office. This is hardly surprising given the unique challenges and threats that legal firms face.

It’s not just a quantity thing, either. Breaches of companies operating in the legal sector come at a high cost. According to IBM’s Cost of a Data Breach Report 2021, a cyber attack costs professional services organisations an average of $4.65 million (£3.78m).

Legal firms are feeling the pressure. Let’s throw in a third data set to really hammer the message home; nine out of 10 legal firms say cyber attacks are the biggest threat to their business, evidenced in PwC’s Annual Top 100 Law Firm Survey.

So what unique challenges and threats do legal firms face, and how can these be overcome?

The legal sector is an attractive target for cyber criminals partly because firms are highly visible and often vocal about their most prominent clients, says Will Richmond-Coggan, a cyber litigation specialist at law firm Freeths. “This makes them prone to being attacked, not so much for their own assets, but for the extremely valuable information belonging to their clients.”

To make matters worse, most law firms can’t afford to invest as much money into cybersecurity as their clients can, says Dr Ilia Kolochenko, founder of ImmuniWeb. As a result, digital forensics and incident response are usually “non-existent” or “nascent” in mid-size law firms, reducing the chance that intruders will be detected and identified, says Dr Kolochenko. “This means it’s often faster, easier and cheaper to break into a law firm.”

Adding to this, most law firms don’t have dedicated cybersecurity programmes or personnel in place to protect the business, says Larry Gagnon, SVP of incident response at eSentire. As a result, he says that their cybersecurity posture has “likely failed to keep up” with their requirements as a business.

“The IT environment within many legal sector organisations is a mix of legacy technology alongside very modern solutions, which can lead to problems over time,” Gagnon explains. “Additionally, there is an opportunity for attackers to move laterally within the network if they can bypass perimeter defences such as firewalls and anti-virus protections.”

Supply chain risks

The risk to legal firms spans multiple vectors, including the supply chain. Many companies in the legal sector have adopted new technologies and work-from-home policies as part of how they operate, and the companies they work with have had to do the same, says Gagnon. “The result is that these companies have a bigger threat surface to manage, and the infrastructure itself is more complex.”

Because lawyers conduct a lot of work over email and handle sensitive data, the legal sector is also highly vulnerable to phishing attacks. “As more employees return to their firms’ offices this year, poor cybersecurity habits from home may enter the workplace,” says Lawrence Perret-Hall, director at CYFOR Secure. He warns how a successful phishing attack could “quickly become a company-wide and hugely detrimental cyber incident if hackers can access an employee’s device and pivot into the corporate network”.

“It’s often faster, easier and cheaper to break into a law firm” Dr Ilia Kolochenko

Attacks on legal firms can happen very quickly before they have had a chance to detect anything is wrong. When attackers successfully breach a legal organisation, they tend to be able to progress beyond the initial foothold to the intrusion phase more quickly, Gagnon says. In other words, they start to cause damage quickly once they’re in. “This suggests that threat actors prioritise establishing footholds in the legal sector rather than companies in other industries because these firms tend to hold information on several clients. This makes them more valuable as a target.”

 

At the same time, while cyber attacks result in disruption and cost, they can also put law firms at risk of regulatory sanctions. “If a lawyer has been instructed to pay completion money in a multi-million-pound transaction by the end of the day and systems are taken offline before it can be completed, the consequences could be extremely severe,” Richmond-Coggan explains.

Excuse us while we get a little technical here. If you really object, skip two paragraphs and rejoin us after the tech talk.

Data collected by the eSentire Threat Response Unit suggests that something called ‘GootLoader’ is the most common malware used in attacks against the legal services sector. It’s a malware-as-a-service offering spread through SEO poisoning to distribute malicious payloads. If that sentence sounds like we’re speaking a mythical language, let’s colour that in further:

• Malware-as-a-service is a type of cyber attack in which criminals offer malware and deployment services to other hackers.
• SEO poisoning is where cyber criminals create malicious websites and use search engine optimisation tactics to ensure they appear prominently in search results.
• A malicious payload, quite simply, is the content that causes harm to the victim of the cyber attack.

The hacking gang behind the GootLoader malware is reportedly called UNC2565. “This gang specifically targets professionals within legal services and accounting firms because they have access to sensitive commercial information,” says Gagnon.

He describes how in one attack campaign, UNC2565 targeted business professionals with legitimate-looking compromised websites populated with hundreds of pages of content, including numerous references to business agreements. “The content claimed to offer free samples for download and promised to save work for professionals who wanted a head start in creating documents. When they came to the site, they got a lot more than they bargained for and would end up with infected machines.”

Responding to threats

In an increasingly complex threat landscape, it’s integral that legal firms take steps to improve their security. As part of this, Richmond-Coggan outlines the importance of robust incident response programmes. “These must be regularly tested and ready to be implemented at a moment’s notice. They need to be joined up and prepared in collaboration with the firm’s banks, insurers, IT providers and other important stakeholders within and outside the firm.”

Richmond-Coggan says that law firms should also assume their defences will eventually be penetrated and have other layered protections in place. “On the same basis, it is vitally important to have invested in appropriate disaster recovery tools, so if the worst happens, the firm can quickly resume operations and limit the impact on clients and counterparties.”

Implementing business continuity and incident response plans is especially crucial for proactively reducing the damage of attacks such as ransomware, adds Perret-Hall. It’s also important not to forget about the remediation that needs to take place afterwards. “This can be a lengthy, complex clean-up job – sometimes a complete rebuild of internal systems from scratch if the ransom isn’t paid. If the ransom is paid, it certainly won’t guarantee the return of all your critical files, and the clean-up could still be significant.”

While there are some industry-specific measures to bear in mind, the foundational principles for boosting cybersecurity in legal companies remain the same as in other sectors, according to Dr Kolochenko: “Maintain a comprehensive and up-to-date inventory of your digital assets and data, keep your software up-to-date with a holistic patch management programme, and enforce multi-factor authentication wherever feasible.”

This is in addition to having a third-party risk management programme for external vendors and suppliers and a process-driven approach to monitor and audit IT infrastructure continually. “Prepare a clear strategy detailing how to respond to a security incident from a legal, technical and business perspective,” Dr Kolochenko adds.

Perret-Hall advises legal firms to conduct an audit to identify gaps in their security. “A comprehensive audit will comprise measures such as vulnerability scanning and identification, followed by actionable guidance for legal firms to follow to bolster their cybersecurity,” he explains.

Firms can also refer to the Solicitors Regulation Authority (SRA), and the Law Society, which have published guidance for the legal industry to help develop cybersecurity policies and procedures, Mike East, VP of sales EMEA at Menlo Security, points out. “Of course, these efforts will only be successful if they are well received by law firms,” he adds.

“Law firms are likely to experience more cutting edge and innovative attacks than might be encountered by some other industries” Will Richmond-Coggan

Taking this into account, education and training is vital, with experts warning that employee buy-in is essential to boosting security. “Law firms need to recognise that data protection is everyone’s job,” says Nigel Jones, co-founder of the Privacy Compliance Hub. “Companies need to put a programme in place which enables all individuals in the firm to understand the risks.  If people understand, they will hopefully play their part in keeping data secure.”

Gagnon says it’s essential for firms to develop a culture where everyone recognises they have a role to play in security. “For lawyers used to handling sensitive commercial information, this should be second nature. However, this mindset should be in place for everyone across the organisation, as the most common attack vectors are phishing campaigns, business email compromise attacks and users’ internet browsing behaviour.”

As well as being aware of new attack techniques, law firms need to keep pace with emerging technology, says Richmond-Coggan. At the same time, it’s important to be aware of the industry’s unique risks. “The legal sector must recognise that the custodianship of high-value confidential information makes them particularly attractive targets. This means law firms are likely to experience more cutting edge and innovative attacks than might be encountered by some other industries.”