Is Your Legal Practice Resilient To A Ransomware Attack?

We have seen too many partners having to endure it, the awful realisation that digital criminals are inside your law firm, stealing and encrypting your data and using it to blackmail you. In many cases they have been there for some time, gathering confidential personal and business information, working through your systems laterally, building their plan of action. The symptoms are rarely spotted. Suddenly, it is too late. You know for sure that your business is going to be severely damaged, and you are going to have to explain yourself to the SRA, ICO and your clients.

Share this post

The downtime after a ransomware attack can last for days (26 on average, but can be more), and the loss of work because of this and the resulting ruin to your reputation can be devastating. Anyone is a target – small firms and large firms alike. The criminals are not looking for you, they are looking for your vulnerabilities; a door left open, a way in. It is not personal, but it is serious.

The cybercrime industry is worth billions of pounds, so the criminals are not just going to go away once you have closed one door or halted their progress. They are going to try again from all different angles until they can get in.

To help you avoid falling victim, here is a look at our top 10 areas that law firms need to address to stop ransomware.

1. Anti-Virus (AV) software.

AV is the software application that is designed to stop malicious software getting a foot hold on your devices and to prevent bad actors (hackers) taking control of your systems. It is common to have Anti-Virus software, you probably have it yourself, but much less common to have it deployed correctly. Installing AV ‘straight from the box’ and choosing the default recommended settings and features is not enough.

During an attack, cyber criminals will essentially become you within your computer system and take over your user privileges. They will attempt to switch off the AV as early in the journey as they can. To obstruct this, make sure it is centrally controlled so it is not easily switched off. It is best to get it configured by a security specialist (which, with no disrespect to your team, is probably not your head of IT – they are different disciplines). In addition, make sure the AV is kept up to date, and, on every device as a minimum. This way, end-to-end during a ransomware attack, your AV will have several opportunities to get in the criminal’s way and halt their progress.

2. Email security filters.

One of the attackers’ favourite ways into a business is via an email. It is important to make sure that even if they do send an email, they do not get through to the users. No matter how well trained or how professional your employees are, they will fall for tricks, and they will click on links. Setting your email platform up correctly can make sure that employees are protected from this.

Email platforms have filters that check incoming emails for malicious software, dodgy links and untrusted senders. Your email provider, especially Microsoft, has the most amount of insight for incoming dubious emails so do use the filters and tools they have created to help increase your chances of prevention. Such filters might include sending the email to spam, hiding some of the links, or removing some attachments if they seem suspicious.

3. Web browsing controls.

If somehow you do fall for a criminal’s tricks and click the link, your web browser has controls which if switched on, can retrospectively warn you before it is too late. These controls are designed to stop or warn users they are about to visit a dangerous or fraudulent website.

To get around the AV software, fraudsters will often take unwitting staff to fraudulent websites. This risk can be minimised by linking the browser to the AV and configuring it correctly. Thousands of malicious sites are reported all the time, so within days of a website created, or sometimes hours, the browser provider becomes aware of it. They can then flag an alert to ask if you really do want to proceed. Stop, read the alert, and think it through before clicking. Just a couple extra seconds of your time could save your company days of destruction. Take it one step further and change the alert to a straight-up block.

4. Security patching.

It might be surprising to learn, but software is full of holes. In the software industry people are paid to find these holes, or ‘bugs,’ by sending out friendly fire and reporting back to the software providers, like Microsoft or Google (Chrome). The providers then create and issue out software updates that patch (fix) the known vulnerabilities. Regular software updates (monthly for Windows) include these patches along with feature improvements. Of course, as soon as they publish the fix, they effectively publish the details of the bug to everyone, including the criminal. It is only a matter of time before the criminals start to exploit these bugs, therefore, it is so important to update your software or device as soon as you are prompted to, a discipline which is unfortunately sorely neglected.

5. Least privilege.

Every user on your system is assigned privileges that define what they can control, run, and amend.

Remember, ransomware attackers take-over users’ accounts, they become ‘you,’ and the more privileges you have, the more damage the attacker can do. So, an approach of least privilege should be followed; just give each employee the minimum rights they need to do their work, not every admin level possible.

6. Remote authentication.

The pandemic has potentially changed our working habits forever and with this comes new security challenges. When working at a non-work location (e.g., at home) how do you tell business systems who you are and how do they authenticate that?

You may be logging into a cloud platform, or could be accessing information via a Dropbox, most probably you are accessing a server. This server could be physically in your office that you are connecting to, or a cloud version of that.

Username and password are no longer good enough protection for remote connection. If you have good password discipline, that is a good start, but you cannot rely on this to protect your business. Adding another method of authentication would stop a significant proportion of ransomware attacks. This extra layer, MFA (multi-factor authentication) or two-step authentication would require the username, password, and either a code, or a setting that states “only trust this computer with this certificate,” for example.

Just because your data is on ‘the cloud’ does not mean it is safe. There is an assumption that the cloud providers are managing your security for you. However, your credentials give you access to the cloud, so if these become compromised, hackers can still get into the data. ‘Cloud’ just means that you can access your data anywhere – and therefore, potentially, so can your hackers.

7. Test and scan externally facing assets.

Tests and scans of firewalls, domain addresses, login pages and IP addresses will check for vulnerabilities and gaps in your security defences. Externally facing assets could also be things like a web portal where clients can interact with your system directly. Leave no stone unturned.

Anything connected to the internet will have an address and can be scanned. You may not be scanning, but the criminals are! You need to find the open ports and poor configuration before they do.

It is possible your IT firm or department may have set up your remote-working firewalls from a speed and convenience perspective, as opposed to a security one. Get a security consultant to help find and address any weaknesses in your system. It is not a substantial change either, you do not need to scan them every other week, just a couple of times a year will be plenty, depending on your risk. Let your level of risk govern your approach.

8. Review access management.

This relates to the documents, files, and folders that your system allows individuals to access.

There is a generic setting of “Everyone” in many systems. This means that everyone connected to the system can get to the documents, you do not even have to be authenticated. The bigger the firm gets, the more this applies, but access to documents should be defined by role.

Does everyone need access to all documents and data for current matters, let alone historical ones? Start to think about how you can parcel up your documents, files, and folders and who should have access to them.

Unfortunately, for obvious reasons, cyber criminals tend to take over the user account of senior staff members, and that person usually has quite a lot of access. It still makes sense to partition off everyone else’s access too, but perhaps there are some additional limitations you can place at the top of the firm for data protection and preservation.

9. Alerting and incident response.

If the worst comes to the worst, and unfortunately, it may still do despite all the best protections, preventions, and policies in place, you need a plan. You might be that unlucky person who gets hit when a new attack is created which is not being defended yet – the patch has not been created in time. Speed is of the essence, so it is important that the alerts that your system generates are actually alerting somebody. It seems obvious but it is surprisingly common to have alerts switched off or not being sent to an active member of staff.

An incident response plan is a rehearsed set of steps that ensure businesses respond effectively to a cyber incident. You do not want to be rehearsing it for the first time during a real attack. You might be doing a similar exercise as part of your business continuity plan for other incidents such as a power cable dug through, therefore this could be an additional scenario. It is important to go back to basics; remember your system has been compromised so you may not be able to send an email to employees so make sure you have phone numbers. And what if it is a Sunday? Put together a plan: who is going to know what to do, who are you going to speak to, what and how should you communicate to clients or maybe the press – and more.

If you get your alerts set up correctly and have a plan in place, you will have a chance of stopping a ransom attack in its tracks.

10. Back-up.

This is the process by which your business takes a copy of the systems, applications, and documents for use in an emergency. This is rarely configured correctly, which means that scarily few back-ups survive a ransomware attack, with everything ending up encrypted and useless.

The most common back-up set up is via an online package. The software takes one full copy of everything at the start, and from then on just copies anything that has changed. The problem with this is that when your data becomes encrypted during a ransomware attack, everything is changed, so the software kicks in and takes a copy of everything again. Overwriting the original files, leaving you with encrypted version. Not ideal!

Having a couple of types of back-ups can be a good idea but do get an expert in to check your set up and run through some scenarios. Get yourself confident that your back-up would survive.

There is of course more to do, but if you do this top 10 well, it will dramatically reduce the risk to your law firm. Try to do what you can, and if you do not understand any of the above, please do not hesitate to contact us.

CYBER SECURITY UPDATES

Sign up for the latest advice and information about keeping your business cyber secure.

Share this post