Guest post: Ensuring cyber resilience in the legal sector post-Lockbit

By Steve Whiter, director of Appurity

The recent collaborative disruption of the Lockbit ransomware group by international law enforcement agencies has offered a momentary sigh of relief to cybersecurity professionals worldwide.

But while this victory is significant, the reality is that ransomware is an ever-present danger, and the expectation is that adversaries like Lockbit will reemerge, potentially more sophisticated and elusive than ever. Sensitive data, client confidentiality, and the integrity of legal processes make the legal sector a lucrative target for cybercriminals – and there’s been a noted increase in cyber attacks targeting UK law firms recently.

So, how can firms maintain their cyber resilience post-Lockbit? Let’s start by asking questions about the efficacy of your firm’s security controls and preparedness against ransomware attacks.

Testing, testing, testing

Testing, specifically continuous and automated testing that simulates real-world ransomware attacks, is foundational to understanding and strengthening a firm’s cybersecurity posture. Traditional security testing measures – like manual penetration testing – while useful, are no longer sufficient in isolation. The dynamic nature of cyber threats requires firms to test, identify, and remediate vulnerabilities in a cycle of continuous improvement.

Automated Security Validation: A Closer Look

Automated Security Validation (ASV) is central to this testing strategy. With the right ASV solution, firms are provided with detailed assessments of vulnerabilities and the potential damage they could cause, to aid in understanding the full scope of an attack’s impact. This method goes beyond surface-level analysis, delving into the ‘blast radius’ of an attack to identify which assets would be most at risk and providing a clear roadmap for remediation.

By running real-world ransomware attacks in their production environments, firms are given an unobscured view of their attack surface and their security controls’ effectiveness against actual threats. This level of insight is invaluable, equipping firms with the knowledge needed to make informed decisions about strengthening their cyber defences.

Password and credential protection

Often, vulnerabilities lurk in seemingly simple things, like passwords. To start, firms must prioritise a stringent enterprise credentials policy. But of course, just putting a policy in place does not guarantee that it’ll be adhered to. You need to ensure that your enterprise credentials policy is configured properly, be able to detect insecure password transmissions, and consistently identify compromised credentials to preempt attacks. By doing this, firms are effectively eliminating blind spots – those areas which attackers are more likely to exploit – and ensuring that their users are actually complying with the firm’s credentials policy.

This has compliance implications, too. With stronger compliance policies that are universally adhered to, and continuously put to the test, firms are effectively minimising their attack surface, reducing the risk of data leaks or compromise.

A smarter approach to vulnerability management

Addressing every vulnerability isn’t just resource-intensive—it’s impractical. Instead, firms can validate their security control efficacy and enterprise readiness against the MITRE ATT&CK framework, a structured guide to understanding and countering adversarial tactics, by using the same tactics and techniques that bad actors do. By learning from these real-world attacks, firms can prioritise their defensive strategies, focusing on the most urgent vulnerabilities for optimal resource allocation and maximum protection.

Emulating real-world attacks in this way will also highlight the effectiveness of your security controls. Do they have the required capabilities to protect your critical data from real-world threats? Could you free up resources by investing and focusing solely on the controls that provide your required level of protection?

Embracing proactivity

The legal sector’s unique position – handling communications and transactions of great sensitivity and value – requires firms to meet stringent compliance and regulatory standards and take a proactive stance to data protection and cybersecurity. This means adopting a comprehensive approach to security that integrates continuous testing, vulnerability management, and the simulation of real-world attacks to evaluate the efficacy of security controls.

The legal sector’s fight against cyber threats – including ransomware – is far from over. Continuous, automated testing and a proactive, comprehensive approach to cybersecurity are non-negotiable in today’s threat landscape.

The question for every firm now is not if they will face threats, but when—and how well-prepared they will be to respond. In this new era of cyber resilience, our defences must be as dynamic and determined as the adversaries we face.

Steve Whiter is a director of Appurity, specialists in business mobility, with extensive experience of secure mobile communications for the legal profession.

To submit a guest post, which we post purely based on merit, please contact