Ransomware - The Hidden Threat To Your Law Firm

By Andrey Sherman|06 February 2018

In Hollywood, central casting does a great job of selecting actors to portray villains.

You know the type: Dark, shadowy, unshaven; surrounded by henchman and armed with a devious plot to create physical, emotional or financial harm on some unwilling protagonist.

In establishing these villains, directors do a great job of telling us why the “bad guys” do what they do; what motivates them; and, ultimately, how good will triumph over evil.

Unfortunately, a new type of villain is running rampant in our midst, wreaking havoc on law firms, corporations and other businesses reliant on the use – and protection – of sensitive data.

Unseen by human eyes, ransomware thieves, armed with a rogue computer code and an Internet connection, are holding data hostage – costing businesses worldwide billions in ransom payments, downtime, and lost productivity. And, this number is likely understated, as many companies try to avoid reporting the breach.

For example, when a company has a cyber breach, it not only represents a large ransom and systems repair cost, but also a potentially large reputation hit impacting the firm’s future business prospects that cannot be easily computed. A recent report about car sharing giant Uber illustrated just such a risk. Uber became a victim of a ransomware attack back in 2016, paid a hefty ransom to keep the incident in the shadows – and then received a black eye and regulatory scrutiny when the incident finally came to light.

It is not enough for a Law firm to be aware or acknowledge that there might be a potential issue. Global law firm DLA Piper published a whitepaper in June 2017 which warned about the rise in ransomware attacks and outlining some broad protective measures; three weeks later, the firm became the victim of a ransomware attack which disabled hundreds of thousands of computers worldwide.

In this first part of a multi-part series on emerging cyber-risks and opportunities for law firms, we’re going to take a look at both the obvious threats associated with ransomware – similar to those that most enterprises are grappling with; as well as the hidden threats that might be unique to your profession. Let’s dive deeper:

Understanding the Obvious first steps to take:

At a very top level, it’s critically important that enterprises invest in the latest and most contemporary protection program possible. Commercial, off-the-shelf cybersecurity suites represent a good start – they typically have some built-in protection for malware and viruses. But without seamless integration into an overall security protocol – and smart behaviors by all employees who touch a company device – you’re still vulnerable to attack.

Going beyond the off the shelf software alone with a good, custom-built security protocol can have myriad benefits for your business, including:

1. Having a qualified independent expert review and audit all your current security practices to find any weaknesses in your existing protocols;
2. Ensuring that partners, associates, and other team members are engaging in best practices when handling sensitive client data, including:

  • Automatic daily monitoring of online activity
  • Using centralized storage for all data, including taking shadow copies at regular intervals
  • Implementing updates to operating systems and browsers as soon as they are available.
3. Examining device-specific policies when it comes to communication and security;
4. Uncovering whether staffers are using non-compliant or unsecured/unsanctioned software, SaaS or cloud services (i.e.: Dropbox, iCloud, Google Drive, etc.) where malware or viruses can enter your firm undetected;
5. Encouraging employees to be proactive in the fight against malware, including:
  • Reporting back to you when suspicious emails are detected
  • Avoiding the use of public Wi-Fi connections
  • Only accessing data that they need to use in the completion of their job
6. Ensuring the protection of your network, application, gateways and other assets.

In many cases, all it took was the opening of something as innocuous as a Yahoo email on a networked computer to unleash the ransomware code into the corporate ecosystem. One of the simplest and most effective next steps is to have a stated policy on what services, systems and websites your employees can use while working, or using office equipment.

Sadly, one in three companies do not have written IT security policies or protocols – meaning an attack isn’t just a possibility, but a likelihood.

…and the Not-So-Obvious

We get it – your business is reliant upon the free flow of shared information between your firm and your clients and vendors. Millions of bits of data stream between you and your clients’ servers each year – transported via email or cloud services and captured in products like AbacusLaw, Zola, Clio, PracticePanther, or even via broadly available general market services like DropBox or OneDrive.

However, with each exchange of information between firm and client lies an uncomfortable truth: A law firm – particularly one with a high profile, or a list of high-profile clients – is generally a much easier target for hackers who are all too interested to get their hands on that precious information, or who want a secret backdoor entrance to the large corporation through a trusted service provider. That is because most Law firms rarely have the same high level security protocols and dedicated IT staff as their large and sophisticated corporate clients. And, that same vulnerability can also create potential liabilities for the firm that initially allowed the intrusion.

It’s the kind of reality that keeps corporate IT pros up at night. A recent survey of IT decision makers found that data security is the overwhelming the top concern for two out of three IT decision makers, yet a similar number of respondents to the same survey lamented a lack of preparedness against external threats.

Indeed, ransomware is also a significant risk to any law firm because it can also negatively impact their relationship with the courts. It would take just one ill-timed ransomware hit to cause a firm to miss important case milestones, such as filing deadlines – costing the firm far more than the Bitcoins being demanded by the cyber-kidnapper, or, more to the point, than a solid cybersecurity protocol that would have prevented the breach to begin with.

As such, we also recommend that every firm takes the time to get an independent security and systems audit to understand your total cybersecurity picture. It is important to look at how data is transmitted, shared, and stored between your firm and at your clients’ sites. If potential threats are detected, it’s not beyond the pale to insist upon stronger protocols to ensure protections for both firm and client.

In our next blog, we’ll dive deeper into law firm cybersecurity – looking at three steps you can undertake right now to assess your firm’s current level of protection against ransomware and other economic cyberattacks.

In the meantime, if you have any questions about your firm’s cybersecurity profile, please feel free to contact us at vand by clicking here.