Cyberattacks have become a more prevalent threat to businesses across all sectors, including law firms, post-Covid-19. Their rise can be attributed to both the increased profitability of cybercrime for perpetrators and advancements in attack methods. With a wealth of sensitive client information, law firms stand at significant risk, making it imperative to adopt robust cybersecurity measures.
Why has cybercrime become more prevalent?
The increase in cybercrime is primarily due to its lucrative returns and lower-risk nature compared to more ‘traditional’ criminal activities. Ransomware attacks, which are cyberattacks where malicious software infects a device or network and restricts access to the organisation’s data and network, are a significant threat. Alan Woodward, a cybersecurity expert and professor at the University of Surrey, says: “Some cybercriminals have made hundreds of millions from ransomware attacks, and it’s lower risk because they’re typically doing it from another jurisdiction.” This low-risk, high-reward scenario has fuelled online criminal activities, further facilitated by the advent of Crime as a Service (CaaS), a model in which cybercriminals provide various hacking and cybercrime services to other individuals or groups, typically for financial gain. Software as a Service (SaaS) has enabled criminals to launch sophisticated attacks by renting the necessary software and infrastructure.
Using cryptocurrencies has also made tracing and prosecuting cybercriminals more challenging. Woodward explains: “New forms of cryptocurrency are untraceable — Monero was designed to be truly anonymous.” This anonymity helps to shield criminals, making it difficult for law enforcement to track and dismantle their networks.
Legal IT Insider reported that international law firms Allen & Overy and CMS suffered cyberattacks in 2023 at the hands of LockBit. This prolific cybercriminal group operated a Ransomware as a service (RaaS) model. In early 2024, law enforcement agencies led by the UK’s National Crime Agency announced the dismantling of Lockbit, but a week later, it was reported that the group had resurfaced.
Law firms are prime targets for ransomware
Law firms are high-value targets for cybercriminals due to the sensitive and confidential information they hold. A successful attack can cripple operations, potentially leading organisations to meet the criminals’ demands.
Woodward further explains that the modus operandi of these attacks has evolved. Initially, ransomware merely encrypted data, but now attackers also steal it, threatening to leak sensitive information unless a ransom is paid. This increases the pressure on firms to comply, fearing significant damage to their reputation.
He cautions against paying the ransom, however, because you might be targeted again. “You put a target on your back — lists of people who pay up are circulated on the dark web, so another set of criminals will suddenly turn up at your door.”
Dr Heather Anson, a multi-jurisdictional law consultant at Digital Law and specialist in online data and cyber law, says that cybercriminals assume firms, are more likely to pay a ransom and, when they do so engage in a vicious cycle: “This cycle not only fuels the ransomware economy but also emboldens attackers.” She too advises law firms to reject ransom payments.
When hit by a cyberattack, firms often feel embarrassed because they feel they’ve done something wrong, says Anson. However, with the exponential increase in cyberattacks, the Solicitors Regulation Authority (SRA) warns firms to prepare for ‘when, not if’ they experience one.
Strategies for protection and response
1. Partnering with a managed service provider (MSP)
For many SME law firms, outsourcing IT functions to an MSP is necessary to gain access to expertise that isn’t available in-house. However, Woodward cautions that the firm is always responsible for ensuring its data is secure, even when involving third parties. Due diligence is vital when selecting an MSP. You should ensure your MSP conducts regular penetration testing, has an incident response plan, and is prepared to recover the data and services promptly during an attack. He also recommends auditing a third-party provider in terms of security practices regularly.
Anson emphasises the critical mistake many firms make is not thoroughly vetting their MSP contracts, especially the liability sections that could disadvantage them financially in the event of a cyberattack on the MSP.
She points out that many in the legal sector believe that only a few MSPs can effectively serve law firms. However, she recommends considering partnering with local or smaller MSPs, who may not solely focus on the sector.
Woodward says supply chain attacks are also becoming more common. Here, criminals exploit vulnerabilities in third-party services or software providers to attack organisations indirectly.
2. Pay attention to updates
Woodward also urges updating your software regularly to apply the latest patches and protect systems against vulnerabilities. He advises having any MSP partner check the updates beforehand to mitigate risk of downloading malware.
3. Ensure your network is designed effectively
“Many networks are not designed — they’ve grown organically over the years. As firms got bigger, they’ve bolted different bits on,” adds Woodward. He advises firms to have MSPs examine their network architecture to ensure “defence in depth”. He explains that this involves creating partitions within a network to contain breaches, similar to having ‘walls within walls’ in a castle, protecting your ‘crown jewels’ in the innermost keep.
4. Back up your systems
Make sure you have backups on a system that’s separate from your primary system, says Anson. She also stresses the necessity of regularly testing these backups.
The returns and low risk cybercriminals increasingly experience have resulted in a surge in attacks, with law firms particularly vulnerable due to the sensitive information they process. To reduce risk for the firm, it is critical to have suitable measures in place and to do due diligence when working with an MSP.