Defending the legal sector from cyber crime in 2020
In opinion / By Mark Lee / 07 October 2020
There are few companies which hold quite so much sensitive and highly monetisable data as those working in the legal industry. Many may have ticked what they think are the right boxes in terms of security, however, the rate at which cyber threats are advancing requires firms to ensure their security measures can keep pace.
Sophisticated targeted attacks combine social engineering with advanced malware to outwit most traditional defences. To respond you need improved staff awareness of the threats and behaviour-based tools and intrusion defences to stop both known and unknown threats.
It is estimated that by 2021 the global cost of cyber security related issues could be £6 trillion per year. More pertinently, the Briefing Frontiers 2020: Legal IT Landscapes research highlights, 87% of law firms have seen an increase in the number of clients performing security audits on them and 62% rated their cyber threat as 70 or above. Cyber security is something firms need to take more seriously than ever before.
Here at Nasstar, we have analysed the cyber posture of the top 250 law firms in the UK and the results are alarming. In this report, we raise awareness of the most common security issues faced by law firms and provide insight into how to prevent a cyber attack. Act now, don’t be the next victim of cybercrime.
Results at a glance
Of the 250 firms we analysed, we found the following results:
- 26% of firms had issues with network security
- 17% had poor DNS Health
- 14% had no or infrequent patching procedures in place
- 9% had little to no application security
- 7% needed to increase endpoint security
Unsurprisingly, our analysis also echoes PwC’s 2019 Annual Law Firm Survey, which reports that every respondent to the survey working within a Top 100 law firm had suffered a security incident in the last year.
What does this mean for law firms?
Surprisingly and contrary to our own analysis, PwC’s research reported very few “significant attempts to break into the firm’s network” in firms outside of the Top 10. However, whilst the Top 10 firms are more likely to be targeted, PwC helps to explain the contradiction by suggesting that smaller firms may be failing to detect compromises and are therefore unable to report such an incident. But we can say with absolute certainty that every firm in the land is being subjected to daily threats and attempted attacks.
A negative score in a law firm’s network security means that it may be vulnerable to hackers. Once in, ransomware will work its way through your networked systems, encrypting data as it goes and the only way to regain access to your corporate data could be paying a ransom.
By using log inspection or file monitoring tools to continuously monitor your network, you can be alerted to an activity which could indicate a targeted attack before it goes too far.
The Domain Name System (DNS) is essentially the phonebook of the internet. We access information online via domain names; however, web browsers use IP addresses. DNS translates domain names to IP addresses so browsers can load internet resources.
DNS health is often taken for granted within a firm; however, any severe DNS issues can bring an entire business down. In today’s 24/7 world, this can result in a significant loss of revenue for a law firm, not to mention reputational damage.
DNS monitoring services can help you to identify things like a Distributed Denial of Service (DDoS) attack which are designed to overwhelm your computer systems with traffic, effectively forcing your business offline. The only way to prevent an attack from occurring is to monitor your DNS 24/7 to identify and block malicious requests.
According to Infoblox-Forrester Consulting’s study, 56% of c-level respondents are looking to improve security ROI, DNS monitoring can help by providing a single pane of visibility into threats across the network. The study also found that most companies are under-using their DNS investments, which is also echoed in our analysis.
Patching cadence and management
A patch is a software update comprised of code typically inserted (or patched) into an existing software program. Patches are often temporary fixes between full releases of a software package, designed to fix a bug, address new security vulnerabilities, address software stability issues, or upgrade the software to the latest version.
Law firms avoid patching for various reasons. For some, it is deemed to be an unnecessary task, others are short of time, and some fear that patches may cause issues. However, patching is a crucial component of any organisation’s security defence. Failing to implement patches in a timely and controlled manner leaves firms wide open to attack and exploitation from hackers and other malicious groups.
The importance of patch management is made clearer in the recent Laserforms Hub data breach as reported in the Financial Times. Staff and client data belonging to 193 law firms, including several large City firms, were compromised by a breach involving the third-party legal technology software provider. Laserforms have since reported that they had “discovered some exposed data on one of our historic software platforms and took immediate steps to address the issue.”
The breach involved data submitted by law firms to the Laserforms Hub, which allows firms to digitally complete and submit legal forms to Companies House, HMRC and the Land Registry. The compromised data related to around 10,000 commercial property transactions.
The data was held on an open database which appeared to have been exposed for an extended period, during which time it would have been accessible to anyone with a browser and internet connection. Data was compromised for all the 193 firms affected, including usernames and hashed passwords. For some firms concerned, the database also contained potentially sensitive authentication information such as place of birth, eye colour, passport numbers, national insurance numbers and more.
Running a ‘historic’ platform within an environment weakens a firm’s security position as legacy platforms are often ‘end of life’ which means they are no longer supported by the provider and more importantly, the provider is no longer creating patches to keep the platform secure.
This event highlights how firms can be exposed not only by their own internal systems but by the vulnerabilities of providers within their supply chain. The risks inherent in managing multiple systems, some of which may be forgotten legacy systems, cannot be underestimated.
According to PwC’s Law Firms’ Survey 2019, all firms identified “improving use of technology” and “standardising and centralising business processes” as priorities over the coming year. Re-engineering business processes and rationalising IT applications are key enablers to improving cyber security. Stripping out complexity not only strips out the cost, but it can also improve security as firms have fewer, less complex systems which are easier to maintain and keep secure.
Most successful breaches target exploitable vulnerabilities residing in the application layer, therefore a lack of application security as highlighted in our analysis is a concern. In conjunction, the number and complexity of applications used is growing exponentially and becoming harder to keep under regular review.
The application supply chain, particularly in law firms is extremely complicated when taking into consideration outsourced development, the number of legacy applications often still in use, coupled with in-house development and off-the-shelf software options.
All applications within a law firm’s environment, including legacy applications, should be monitored for security considerations, and updated as needed. An application which might have been secure when first put live left untouched over time can become a ticking time bomb for a breach.
End point security
Many law firms have made the fast transition to remote working, with many predicting that their teams will continue to work from home for the foreseeable future. However, with the number of cyber attacks on the rise, law firms could find themselves vulnerable to hackers who are exploiting new gaps in security defences. Firms must now look beyond the perimeter of ‘traditional IT’ and focus on enabling secure and reliable remote working solutions for their staff.
Whilst we all have a password on our laptop and mobile devices, it will not protect your data if someone accesses your password. Enabling encryption on your mobile devices is an effective way of enhancing end point security. No matter how strong your password is, it can still be hacked. Adding multi-factor authentication (MFA) provides a further layer to your end point security.
The cost to your firm of doing nothing
Loss of data
It is estimated that by 2021 the global cost of cyber security related issues could be £6 trillion per year. In the legal industry, this could amount to a significant financial loss. Even a series of short downtimes or partial loss of data added up over the course of the year will have a cumulative impact on how much a lawyer can bill. For example, if a firm has 50 employees who bill at £200 per hour and they each lose one hour of billing time per month, that’s £120,000 a year loss.
Loss of reputation
The reputational implications of a security incident are a lot harder to quantify - and recover from - than the monetary costs. Word travels fast and reputation is everything, with many firms relying on referrals from happy clients to generate new business. When it comes to assessing the impact, a breach may have on your reputation, management and recovery are key. If identified quickly and dealt with efficiently, the reputational damage associated with a breach can be lessened, however, time is of the essence. In the event of a breach, you need a security incident response team (SIRT) that you trust to manage the incident from detection through to recovery and ICO reporting. It is worthwhile researching SIRT services in advance, to ensure that in the event of a security incident, you have an appropriate plan in place.
Data held to ransom
Law firms can be a goldmine for hackers. If a firm’s sensitive client data is exposed through human error or a gap in its security perimeter, then this data could end up for sale on the dark web. We all know that ransomware attacks are becoming more sophisticated and commonplace but the impact on companies affected by these types of security breaches often extends beyond the ransom they may be forced to pay.
The loss of sensitive data can lead to regulatory fines, customer churn stemming from a loss of confidence in the firm, falling share price, costs related to the investigation, remediation and clean-up of the original security incident and possible legal costs if an aggrieved customer decides to take litigation action.
What can you do now?
Cyber crime tools and techniques are evolving at such a pace that no firm can claim to be 100% protected. However, 80% of cyber attacks can be prevented with the right processes and tools in place. Whether you are managing your cyber security inhouse, or outsourcing to an external provider, the key is efficient management, monitoring and detection plus a pre-considered response plan if the worst should happen.
Nasstar is a leading provider of managed IT services and part of the GCI Group, who was recently awarded ‘Best Managed Security Service’ in the highly-prestigious SC Awards Europe. When it comes to security, we really know our stuff.
As a business, we’ve got one of the most technically advanced portfolios of security software and services available. We are also rated as suitable for Government based security requirements by an external PEN test firm and provide SIRT services 24/7.