Augury IT

Law Firms: An Irresistible Target of Cyber Attacks

80 percent of the largest law firms in the United States have experienced a malicious breach.

With cyber attacks increasing, law firms are perhaps the largest target of cyber attacks in 2018. The pressure is on for these firms to properly safeguard their information, and covet the attorney-client privilege. As so many businesses close their doors due to the proliferation of malware and data breaches, businesses are starting to realize the importance of proactive cyber defenses. There is an immediate concern for organizations of all sizes, across all industries, but law firms have found themselves to be particularly susceptible.

59 percent of all email directed at law firms was classified as phishing or spam messages resulting in credential theft, ransomware, or “CEO fraud.”

According to a CNA Professional Counsel bulletin, roughly 80 percent of the largest firms in the United States have experienced a malicious breach. Chew on that for a moment – not only were they targeted, but 4 out of 5 were successfully breached!? Even laymen understand that horrendous statistic. Just in 2016, one security consultancy found that over 10,000 network intrusion attempts were detected per day between a mere 200 law firms. The same study found that 59 percent of all email directed at these law firms was classified as phishing or spam messages resulting in credential theft, ransomware, or “CEO fraud.”

Corporate clients are beginning to take a more active approach in whom they conduct business with. They want to feel reassured that these law firms are hardened to these kinds of attacks. As such, IT security and data management audits are increasingly being treated as prerequisites to doing business.

48% of law firms had their data security practices audited by at least one corporate client in the past year.

"These corporate audits will continue to increase in volume and complexity, leaving law firms with no choice but to comply or lose business. This bares a stark resemblance to the way law firms begrudgingly complied with the corporate demand for alternative fee arrangements, which are now the industry norm."

Firms of all sizes are experiencing more cyber attacks and the costs associated with those attacks are rising. Furthermore, law firms are attacked from many angles and with many different types of attacks. In a study Augury IT conducted in 2016, each US-based public IP address is hit with a rogue request or intrusion attempt every 2.4 seconds. That amounts to over 13 million per year. And these are nondiscriminatory attacks that everyone gets hit with. Add to this the directed attacks on Law Firms and the picture becomes clearer – negligence is malpractice.

Why are law firms targeted?

The three primary reasons may seem obvious but the details could surprise you:

They house valuable, confidential data: The vast majority of cyber attacks are conducted for financial gain, whether that's achieved by extorting payment via ransomware, or by accessing private data and selling it on the black market. Law firms are ripe with valuable data in the form of trade secrets, intellectual property, and information regarding prospective business deals. In one 2016 incident, attackers hit several well-known M&A firms with more than 100,000 attacks over just three months, earning more than $4 million by selling the stolen information.
They have money: While ransomware has popularized digital extortion by locking down victim files and holding access to them ransom, there are still plenty of cybercriminals who treat attacks more like traditional heists by going straight for the cash. Exhibit A: A firm in Toronto saw a six-figure sum stolen from its trust account when a Trojan swiped the firm’s banking passwords. Exhibit B: Last August, a firm that had just settled a wage-and-hour class action case was duped into sending the half-a-million-dollar settlement to a scammer by way of a phishing email disguised to look like it was coming from the case administrator.
They are ill-equipped: Despite the growing threat, the vast majority of firms lack the proper policies, procedures, and precautions to constitute a proper defense. 62% of law firms with over 10 attorneys have no cyber security defenses whatsoever. Less than a third have any kind of formal cyber security training programs, and only 41% have formally documented cyber security policies. Adherence to these policies is another statistic, entirely.

It’s not just the big firms

A tipster sends along this photo taken outside DLA Piper's D.C. office around 10am. #Petya — Eric Geller (@ericgeller) June 27, 2017

The NotPetya attack on global firm DLA Piper made headlines around the world last summer when it crippled the firm’s Washington, DC office and put roughly 3,600 attorneys and support staff across 40 countries on lock-down. The incident and related recovery efforts lasted several weeks, during which time telephone service, email, and other vital systems were all affected. In total, it was estimated the attack cost the firm many millions in downtime, lost business, and bad publicity.

While the headlines tend to focus on attacks on big firms, that's not to say attacks on smaller firms are not — only that they're going underreported. Last year's attack on Moses Afonso Ryan, a 10-attorney firm in Rhode Island, is a good example that helped shed light on the amount of damage and disruption malware can trigger inside small practices. It, too, garnered news coverage, but only after the firm sued its insurance company for failure to pay its claim for lost business.

Hit with ransomware, the firm had trouble acquiring the required cryptocurrency to pay the ransom. Even when they finally paid the $25,000 bounty, it was after the deadline imposed by the attackers, and their files remained encrypted. The incident left all 10 attorneys at the firm unable to bill for a single hour for three months, resulting in $700,000 in lost business.

PS: Paying the bounty should never be an option. Because then, you bankroll the attacker's operation for several months, and they still own your network and sell your data (including credentials/passwords) on the black market.

The cost of malware is mounting for law firms

A recent study from the Ponemon Institute estimates the average cost of a successful malware attack has reached $5 million. But the reality is, most law firms have no idea what such an event might cost. Nearly three-fourths of firms have not assessed the potential cost of an internal data breach and 62% have not even estimated lost revenue.

Ponemon Institute has also pegged the cost of a breach at $141 per record. With California’s recent Consumer Privacy Act, the penalties, alone, could amount to up to $750 per record. Considering that even a small firm might have thousands of data records, it’s easy to see how the cost can escalate quickly. That's not to mention the fact that downtime caused by malware incidents equates directly to lost productivity and revenue.

Every minute spent unable to access critical records is time law firms cannot bill for. Downtime from malware equates directly to lost money.

In addition, reputation damage can be substantial. Just ask the Panamanian firm Mossack Fonseca, whose involvement in the now-famous Panama Papers leak “resulted in unwelcome publicity to the firm and its international clients, whom the Panamanian lawyers had apparently helped set up offshore entities to evade their respective countries’ income taxes on eye-popping wealth,” according to a Law.com report.

However, firms don’t even need to experience a breach to suffer damages. A class action suit against the Chicago firm Johnson & Bell alleges that the firm committed malpractice by failing to maintain adequate cybersecurity standards. According to the federal complaint, “Johnson & Bell has injured its clients by charging and collecting market-rate attorney’s fees without providing industry standard protection for client confidentiality.” The suit alleges class representatives were damaged by the risk that their information could be compromised, pointing out that no information was actually compromised.

5 things law firms can do now to improve their cybersecurity

With mounting evidence pointing toward the growing risk, it's imperative for law firms to move quickly to step up their defenses. "Law firms can only expect to be held to an increasingly higher standard of data security if they want to continue to do business with their existing, as well as prospective, corporate clients in the future."

The good news is there are several clear, practical steps firms can take that can yield immediate results:

Explore multi-faceted defenses: In the majority of successful attacks, AV and other protections were in place, yet they failed to stop malware. This is because of the ways attackers are packaging, delivering, and deploying malware. Their approach has evolved to evade most personal-grade AV detection. To keep up, law firms need to investigate using multi-faceted defenses. Implementing synergistic defenses can harden your attack surface from most attack vectors, and do so redundantly. A brief example of such redundancies would be: (this is, by no means, a conclusive list, and each requires specific expertise to implement effectively)
Advanced Email Security – Scrubs emails for spam, malicious content, attachments, and links
Content Filter – Blocks internal devices from visiting potentially harmful sites and files
Deep Packet Inspection – This is a fancy term for “analyzing the contents of data transmission,” which includes scanning encrypted data. Unless configured properly, content filtration only scans unencrypted sites (think http only, and does not scan any https) – this is important since hackers seek to compromise secure https sites as a platform to launch attacks from a secure foundation, thus improving their bounty.
Gateway AV – Blocks malware at the perimeter, before it gets into your network
Endpoint Protection – Endpoint protection (Anti-Virus) should be the absolute last resort to your security landscape, not your one-and-only. Further, it should be configured by seasoned cyber security experts, as this is not a one-and-done installation.
De-Escalation of Privilege – Not providing your users with Administrator access to their local machines may require more administrative effort, but this is exactly what your IT department is for. This also forbids users from inadvertently running any malicious code that may impact any system files.
Revocation of USB Access – We have all heard the stories of banks being hacked by hackers leaving USB keys around the bank’s entrance, “banking” on the fact that an employee would eventually pick one up and plug it in. These stories are old but this attack vector remains unhardened in most infrastructures.

Anyone reading this article should recognize some of the defenses above. But while any one of them is certainly not enough to consider yourself secure, when they are compounded and synergies are formed, providing redundancy to your security landscape, it becomes clear to see how we can begin mitigating large portions of an overall attack surface.

Establish formal policies: Cybersecurity policies, incident response plans, and disaster recovery procedures can expedite your recovery in the case of an event. Establishing these policies is critical for creating a foundation which you can build on through execution, training, auditing and more.

Make cybersecurity training mandatory for employees: Fewer than a third of firms have mandatory training for employees. This is low-hanging fruit. Your employees are a crucial line of defense against the most successful directed attack vectors – Social Engineering / Spear Phishing. There is no reason not to train your teams to work smarter and be on the lookout for scammers.

Conduct port scans to see what is exposed: Email may be the most common way attackers get malware onto victim systems, but there's another well-worn path that arguably provides attackers with even easier access — scanning the Internet for systems with open ports that are exposing Remote Desktop Protocol (RDP), virtual network computing (VNC), or other remote administration services, and hijacking those services to get access to victim servers. IT teams should use scanning tools like Nmap, masscan, and Shodan to see if their networks have any of these services exposed. Attackers are already doing so, so it's well worth taking a few minutes to see your network through their eyes.

Tap into available resources: The American Bar Association offers a comprehensive cybersecurity guide for law firms, which includes both prevention and response tactics.