Global cybersecurity posture of legal sector threatened

June 14, 2022
Legal practices hold a wealth of data that can be exfiltrated.

Out of 40 practices investigated, ‘'5% reported having been the victims of a cyber-attack and for ‘23 of those that were directly targeted, over £4m (over 4.5 million USD) of client money was stolen’. What makes this worse is that ‘Half of the firms were found to have allowed unrestricted use of external data storage media'’  reports the Solicitors Regulation Authority (SRA) Report.

Legal practices are built on their reputation and the relationships that exist between the company and its customers. According to Brian Inkster, founder of Inksters Solicitors, ‘In many ways, your reputation is your brand. It attracts people to the firm. From then on, every time you interact with a client, by living up to your 'brand values' you can confirm what they think and strengthen [or weaken] your reputation.’ (As stated in an article from Law Firm Ambition)

It is the reputation and the relationships that a legal practice depends on, that are frequently exploited. Compared to other industries, those within the legal sector have an elevated risk of cyber threats, primarily due to the confidential data and sensitive client information available if a breach is successful. And, because offices are filled with lawyers, and not IT teams, security is not often at the top of the priority list.

We only need to look back on one of the most significant ransomware attacks of 2017, where DLA Piper, known across the globe as one of the largest law practices, was hit by a ransomware attack costing them millions in the form of indirect/direct costs and downtime. According to TitanFile, the hacking tool known as EternalBlue, used to conduct that attack, ‘was rumored to be stolen from the NSA, and other methods to increase its reach and cause its damage.’

Piper was not the only company caught up in the attack. A wave of incidents against the Legal sector soon hit, and since 2017 threats have only evolved and become more sophisticated. This just emphasizes the need for proactive, rather than reactive, threat hunting. To spot and stop threats, before it is too late.

Who/What is Targeting the Legal Sector?

The Legal Services Global Market Report states that the industry is expected to ‘grow from $713.12 billion in 2021 to $788.94 billion in 2022 at a compound annual rate (CAGR) of 10.6%’. That said, it goes without question that the payoff of a successful attack is substantial. Financial gain is at the heart of most attacks directed within the industry, with infiltration made via supply chain attacks and ransomware/phishing attacks.

'‘Supply chain, phishing, and ransomware attacks reflect a broader trend that cyber criminals want to exploit multiple organizations through a single point-of-attack,’' says Eva Velasquez, CEO, of Identity Theft Resource Center (ITRC).

Ransomware Attacks

Legal practices hold a wealth of data that can be exfiltrated. Lawyers can’t afford to lose a single note on a case, so if data is stolen, they are more likely to pay the ransom or meet the demands of the threat group/attacker, as they have a lot to risk if the data is leaked.

Campbell Conroy & O’Neil P.C is just one example of the many legal practices hit by a ransomware attack in 2021. Following the breach, the company was unable to access files that were critical to their clients and contained personal information. In response to the breach, the legal practice issued this announcement regarding the information, which confirmed the gravity of the situation and the lack of knowledge surrounding the amount of information lost. 

'‘We cannot confirm if the unauthorized actor accessed or viewed any specific information relating to individuals. However, we determined that the information present in the system included certain individuals’ names, dates of birth, driver’s license numbers/state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials (i.e., usernames and passwords),'’ states Campbell Lawyers

What Companies Can do to Stop Ransomware Attacks

In a recent white paper on Ransomware Threat Landscape, it was highlighted that ‘new ransomware strains are emerging to leverage fileless malware and data exfiltration tactics, while opportunistic attackers are using any change in circumstances to launch more effective campaigns.’

The Challenge – Conventional security tools, which detect only known cyber-threats using rules and signatures, are blind to evolving strains of ransomware for which such signatures do not exist. Security teams cannot keep up with these threats using traditional controls alone, especially when they are understaffed or out-of-office.

The Solution – Businesses must employ security technology that can stop ransomware as it emerges before it can do any damage.

For more on this, download the white paper here.

Phishing Attacks on the Rise

Ransomware attacks often begin in the form of a clever phishing attack campaign.

Phishing attacks are directed at the Legal sector often in the form of corrupt emails, containing malicious links. Email addresses and domain names can be easily spoofed, which is why you need to be vigilant when reading, opening, and responding to messages.

  • Do not open attachments from an untrusted/unknown sender.
  • Check for typos as these are a good indicator of an ingenuine email.
  • Do not share sensitive information hastily, be sure you are sending to who you think you are sending to.
  • Don’t fall for URGENCY, especially when it comes from out of the blue.
  • Don’t open links if you are not certain of what they are or who the sender is.
  • If you think the email/link may be real, hover over attachments to check for an actual link, before you click on it or download anything.
  • If messages sound too good to be true, chances are they are malicious and just trying to entice you.
  • Keep your devices up to date.
  • Regularly check your accounts.
  • Finally, when in doubt, message your security team/manager instantly if you suspect anything out of the norm.

Supply Chain Compromise and Third-Party Threats

A law firm's supply chain can be compromised in various ways, for example, through the exploitation of third-party data stores, case management systems, or legal software providers. 

'‘Supply chain attacks rose by 42% in the first quarter of 2021 in the U.S.,'’ according to the Chartered Institute of procurement and supply (CIPS).

Two Types of Insider Threats- Are you One of Them? 

Internal Threats can come in two forms.

One, via a trusted employee who unintentionally breaches data. This is often down to a lack of education/training internally and the user is unaware that their actions are causing the business harm.

Two, via a trusted employee/ex-employee who purposefully leaks information for their own gain. That gain could be in the form of payment from a threat group, that might have coerced the individual. Or the attack may be down to a personal grudge against the organization/individual within the company.

Recommendations to Legal Sector to Enhance Security

Ensure that Cyber Essentials are there, that benefit and work with your business.

With Extended Detection & Response (XDR) you can choose the package that works best for you and the types/amount of data you hold.

Once you have this in place, User Behavior Analysis (UBA) is useful to categorize patterns of user behavior, so that you can understand what constitutes normal behavior, and detect abnormal activity. That way, if an unusual action is made on a device or on a given network, such as an employee login late at night, inconsistent remote access, or an unusually high number of downloads, the action and user is given a risk score based on their activity, patterns, and time. That way anything unusual can be identified before the malicious activity is made.

Having conducted incident response investigations across a wide range of industries, and with clients across the globe within the legal sector, SecurityHQ are best placed to work with legal firms, both large and small, and across numerous technical environments to reduce the impact of a cyber security incident. For more information on how to improve your security, or if you have a question about a service, speak to an expert here.

About SecurityHQ

SecurityHQ is a Global MSSP, that detects, and responds to threats, instantly. As your security partner, we alert and act on threats for you. Gain access to an army of analysts that work with you, as an extension of your team, 24/7, 365 days a year. Receive tailored advice and full visibility to ensure peace of mind, with our Global Security Operation Centres. Utilize our award-winning security solutions, knowledge, people, and process capabilities, to accelerate business and reduce risk and overall security costs.

About the author:Eleanor Barlow is the Content Manager for SecurityHQ. Based in London, Eleanor is an experienced named author and ghostwriter, who specializes in researching and reporting on the latest in cyber security intelligence, developing trends and security insights.

As a skilled Content Manager, she is responsible for SecurityHQ’s content strategy. This includes generating and coordinating content for the latest articles, press releases, whitepapers, case studies, website copy, social accounts, newsletters, threat intelligence and more. Eleanor holds a first-class degree in English Literature and an MA from the University of Bristol. She has strong experience writing in B2B environments, as well as for wider technology-based research projects.

(Image courtesy Anastasia Samal/bigstockphoto.com)
Most businesses don’t know what their exposure is to any given cyber event, including what the impact is in terms of lost revenue, response costs, and secondary loss.
Most businesses don’t know what their exposure is to any given cyber event, including what the impact is in terms of lost revenue, response costs, and secondary loss.
Most businesses don’t know what their exposure is to any given cyber event, including what the impact is in terms of lost revenue, response costs, and secondary loss.
Most businesses don’t know what their exposure is to any given cyber event, including what the impact is in terms of lost revenue, response costs, and secondary loss.
Most businesses don’t know what their exposure is to any given cyber event, including what the impact is in terms of lost revenue, response costs, and secondary loss.
Courtesy of Getty Images -- Credit: thomaguery
There are several best practices that businesses should take into consideration when institutionalizing insider threat practices during the COVID crisis.
There are several best practices that businesses should take into consideration when institutionalizing insider threat practices during the COVID crisis.
There are several best practices that businesses should take into consideration when institutionalizing insider threat practices during the COVID crisis.
There are several best practices that businesses should take into consideration when institutionalizing insider threat practices during the COVID crisis.
There are several best practices that businesses should take into consideration when institutionalizing insider threat practices during the COVID crisis.