Lindsay Hill is a solicitor and experienced CEO, who leads a team of highly skilled professionals at Mitigo to deliver a business friendly cybersecurity service. He has spent 35 years as a specialist in legal & regulatory compliance and business risk management, including legal obligations for cyber and data security.
What is a cyber attack?
When a third-party attacker with criminal intent tries to gain access into a firms IT or OT systems.
What are the main types of cyber attack affecting law firms?
Common types of attack we are seeing include email account takeover, ransomware, and attacks via third parties in business supply chains.
Email account takeover is where the criminals gain access to someone’s email account and takes it over, allowing them to send and receive emails as though they are genuine. The consequences of this are, because the criminals are in the email system, they can interfere with transactions, invoice hijack, ask a client to send money to a fraudulent account or access and steal data.
Another type of attack is spoofing. This is where the criminals have not actually broken into your system, but they are sending an email from a spoofed domain, which is made to look as though it is coming from someone at the law firm even though it is not. It often fools the client into sending money to a fraudulent account.
Ransomware is another big one for law firms. This is when someone downloads ransomware (a type of malware) onto your system, giving access to an individual or criminal gang. Typically, what now happens, is the bad guys move around your system, steal the most confidential data they can find, and then encrypt the data and system. Following this, they send a ransom demand to the law firm, saying the systems are now encrypted, and unless a certain amount is paid, they won’t provide the decryption keys. We find that back-ups are usually not configured correctly. Even if (in the rare situation), your back up will withstand a ransomware attack and can restore your data and systems – the criminals have a second ransom demand opportunity. They threaten to release the confidential data belonging to your clients and your firm unless the ransom is paid.
It’s important to highlight that even if you pay the ransom demands, you still do not know what the criminals have done or will do with your data (sold it on, or whether it has been used to attack your clients). Also bear in mind that your data has still been breached, which means you still have to report this to your clients and the regulators.
The average downtime last year was 26 days, but it can run into many months. The average ransom payment last year was £628,000, but with larger firms we have seen demands running into many millions. Law enforcement agencies and regulators discourage payment of ransom demands, but you can understand why firms faced with this situation feel forced into a payment. It is a terrifying ordeal. We have seen partners fear for the very existence of their business.
An increasing trend is for law firms to suffer an attack via a third party they have a relationship with. This could be their IT service provider, whose systems have been compromised and the criminals have then spread the malware to their law firm client. Another example is an attack on a set of barristers’ chambers from which the malware spreads to their instructing solicitors.
Who are the cyber attackers?
There is quite a sophisticated criminal eco system. There are organised criminal gangs, who make huge sums of money out of attacking law firms and other businesses. The structure of some of these gangs will include different types of gang members, with those who are technically skilled, those who are more commercial in nature and those who are experienced ransom negotiators.
Associate programmes also exist, whereby people with less technical knowledge, can buy attack technology e.g. ransomware as a service. So you also find more minor criminals gaining access to law firms and then passing on the opportunity to exploit that access to more sophisticated players. They are in effect, then operating as lead generators. In return they get a cut of the ransom payments.
Unfortunately the eco system is only getting larger. The rewards for cyber criminal activity are very high, and the chances of getting caught are very low. This only incentivises the gangs to continue and increase their volume of attacks against all sectors, not just law firms.
A study by Coveware evidences how the profits for ransomware actors are high, and the risk very low. For example, Cocaine trafficking in 1992 and ransomware in 2021 share similar profitability metrics; both activities carry +90% profit margins per unit. The major difference lies in the risk taken by the actors. In 1992, every 2 kilos of cocaine trafficked resulted in 1 person arrested. Every 4 kilos of cocaine trafficked resulted in 1 person being killed. Ransomware carries an infinitesimal fraction of the risk. Ransomware arrests are extremely rare relative to drug trafficking and no one is getting killed. A trafficker in 1992 was 625x more likely to get arrested than a ransomware actor in 2021.
Our law firm is only small, surely we are not a target?
Size is not the test. Most attacks start in a random way, with automated systems searching for vulnerabilities, which then turn in to more focused attacks once a vulnerability is found. Of course, at the same time, many attacks are indeed specifically targeted against law firms for good reason.
What makes law firms attractive to cyber criminals?
Law firms get involved in financial transactions and hold much more confidential client data and sensitive information than other businesses. This gives opportunity to monetise any successful breach.
Also, the downtime for a law firm is horribly expensive which is a great incentive for attackers using ransomware. Systems go down, and you cannot do your job.
In your experience what are the consequences for law firms if they suffer a cyber attack?
The list is long. Here are just some of the things law firms must deal with after an attack:
- Damage or destruction of client relationships
- Loss of money
- Claims on PI cover – impacting on premiums going forward
- Downtime
- Damage to reputation
- Management time and stress
- Reporting obligations to the ICO & SRA
- Fines e.g. the ICO fine of Tuckers Solicitors for £98,000 for negligent security practices.
So, what can I do to protect my law firm from cyber attacks?
You need to undertake proper cyber risk management, which is what is required under UK GDPR and by the SRA. In summary, this involves assessing your cyber risks and putting in place the appropriate measures to control those risks. It also involves assessing on an on-going basis, whether those controls continue to be effective. Steps must include assessing vulnerabilities in your technology, training your staff, and having the right policies and procedures in place.
Cyber risk management should be right at the top of any firms’ risk register. Law firm leaders should make sure responsibility for it rests at the most senior management level.
What should I do if our law firm suffers a cyber attack?
Seek specialist support. It is essential that you ensure that the attack has been brought under control, that the criminals are kicked out of the system, forensically determine how the breach occurred, and what data or transactions have been accessed. Report to clients and regulators as necessary.
Even if my firm suffered a breach, won’t cyber insurance cover this?
Losses to clients will ordinarily be covered by PI insurance (but expect premium increases). Some of the law firms’ own losses may be covered by any standalone cyber policy which may be in place, but no insurance can cover fines and regulatory actions, or damage to client relationships and reputation. No amount of insurance can cover the true internal disruption and sleepless nights that a cyber attack causes.
The bottom line is that lawyers should be complying with their legal and regulatory obligations and not thinking that it is acceptable to ignore them and look for insurance cover instead.