It’s 10:35 a.m. on a chaotic Monday: you’re working to put the finishing touches on a motion for summary judgement on one case, before submitting your pretrial disclosures for a court session at 11:00 a.m. on another. Suddenly, a message pops up on your screen: “ATTENTION!! Your files have been encrypted. Decryption of your files is only possible with a private key and decryption program, available on our server.” They demand the firm pay $10,000 in bitcoin to unlock the files and will release some unspecified amount of confidential information publicly to prove they have control over the firm’s data.
This scenario, or one like it, can happen to any legal professional or any firm and has been increasing in frequency. Cyberattacks have been on the rise across every vertical industry; but legal firms present particularly attractive targets to attackers because of the data they house, the clients they serve, their professional conduct and ethical obligations on confidentially, and the typically less-than-robust nature of their cyber defenses.
Legal firms have enticing information such as M&A documents, intellectual property information, personally sensitive and other data that can motivate attackers to strike in order to monetize the data via insider trading or sale to third parties. Ransomware, which encrypts user files until the demanded ransom is paid via cryptocurrency, allows attackers to profit quickly and has been on the rise. Notable attacks such as the June 2017 NotPetya ransomware incident affected DLA Piper, likely costing the firm millions of dollars in fees and mitigation expenses. Ransomware is a choice weapon against legal firms, as attackers understand that firms are highly motivated to protect the confidentiality of their data as well as obligated by ABA Model Rules to make reasonable efforts to prevent disclosure or unauthorized access to client data. They are also required to quickly disclose any unauthorized access, which can damage their reputation, inspiring greater motivation to pay ransoms.
Unfortunately, incidents like the hypothetical scenario above or other cyberattacks often cause firms to think seriously about cybersecurity for the first time—when it could be too late. The facts are, most mid-sized firms will eventually be the victims of a cyberattack; most firms have significant areas of improvement with respect to their cyber incident posture; and in some cases, a cyberattack could be the end of the firm due to associated costs and reputational damage.
It’s generally understandable that many firms don’t have a deep bench in terms of either IT personnel or highly qualified on-site cybersecurity staff. So, what can legal firms do now to reduce their overall risk posture? We recommend all firms undergo four steps, before an attack:
1. Incident Response Planning: All firms should have a complete plan in place for how they would react, respond, and recover from a cyber event, and which individuals or third-parties would be responsible to take action from response through forensics. Incident Response Plans (IRPs) should detail a range of potential scenarios, how you would respond to them, and often involve conducting table top exercises to practice. Many firms don’t have internal staff that can help define these plans; if this is the case for your firm, consider hiring a third-party expert to assist.
2. System management/cyber hardening program: We recommend that firms conduct a cyber assessment and determine their most significant areas of system and network vulnerability, and identify and execute a plan to close those security gaps. These steps can efficiently improve defenses; establishing a process for keeping systems and software patched, up to date, and defended with the right solutions is also essential. Third-party cyber assessment companies can assist where needed.
3. Information security training: Humans will always present a security vulnerability. Many cyberattacks are delivered through social engineering tactics such as phishing, which rely on people not understanding or being trained on how to execute security best practices. Comprehensive and regularly conducted information security training is a must for every firm to increase the ‘security IQ’ of your staff.
4. Get cyber risk insurance: Cyber risk insurance is becoming a must to limit exposure; we recommend that firms research options and obtain a policy that is matched to their level of risk exposure.
Legal firms are highly streamlined, specialized, and focused on providing expertise to their clients—most don’t focus on their cybersecurity prowess, and understandably so. However, even those firms that don’t have in-house IT staff may find value in staying up-to-date on the state of cybersecurity and risk mitigation. Forums such as the New York State Bar Association (NYSBA) Annual Meeting, where I recently spoke, offer sessions on cybersecurity in the Legal arena, where professionals can find approachable, understandable information to improve their security posture.
Getting your sensitive documents bound by ransomware is a nightmare scenario. But even if you can’t avoid it, having a plan to respond can make all the difference.
Kennet Westby is the Co-Founder and Chief Strategist at Coalfire. He provides cyber risk advisory to some of the world’s largest organizations and is a regular participant in programs advancing cyber risk management.