Posted by Rob Stevenson, CEO and founder of Legal Futures Associate BackupVault
In 2021, ransomware attacks rose by an estimated 105% across the world, and attacks specifically targeting British institutions doubled on the previous year.
In the 2021 edition of PwC’s annual law firm survey, 90% of firms cited cybersecurity as the biggest threat to future growth, and the global increase in ransomware attacks was cited as one of the reasons for having a solid crisis management plan in place.
Meanwhile, Jeremy Fleming, the director of GCHQ, told the Cipher Brief conference: “I think that the reason [ransomware] is proliferating – we’ve seen twice as many attacks this year as last year in the UK – is because it works. It just pays.”
But what exactly is ransomware, and why is it such a threat to law firms?
What is ransomware?
Ransomware is malicious software that encrypts a user or organisation’s data, rendering them unable to access files, applications or systems until a ransom is paid. The two most common ways for ransomware to infect a device or system are ‘phishing’ emails and URLs embedded either in emails or websites.
Ransomware is designed to spread quickly, infecting all devices connected to a network and making crucial data and systems completely unusable.
If data is not backed up, or the backups themselves are infected, the victim of the ransomware attack will often have to bear the cost of the ransom in order to recover their files – or face simply losing the data, which can have catastrophic consequences for their reputation and their business overall.
The move to remote and homeworking during the pandemic is thought to have been a key cause of the recent rise in ransomware attacks.
Away from the office, staff are not protected by their company networks, which tend to only let trusted devices connect to them and have better security than home Wi-Fi set-ups. In households where the whole family uses the internet and shares devices, children may be downloading games and accidentally adding viruses to the home network.
Remote workers and the data they handle are therefore more vulnerable to cybersecurity threats.
Ransomware attacks on law firms
Law firms faced threats from ransomware attacks long before the pandemic, with the first high-profile ransomware incident affecting DLA Piper in 2017. As one of the world’s largest firms, in the year prior to the attack DLA Piper reported a revenue of $2.5bn, and its clients include government ministries, banks, sports teams and film studios.
For two days following the ransomware incident, all of the firm’s telephones and emails were unusable, and email access was not fully restored until nine days after the attack.
In October 2020, prominent US entertainment law firm Grubman Shire Meiselas & Sacks also fell victim to a ransomware attack. Data belonging to Lady Gaga, Bruce Springsteen, Madonna and Elton John was lost, and when the Russian hacking group responsible for the attack discovered files relating to Donald Trump, they doubled the initial ransom to $42m.
On the advice of the FBI, the firm refused to pay the ransom and was able to recover some of the lost data – but some of that data remains at large and available for purchase online.
Losing data is only one part of the story. If a firm falls victim to a ransomware attack, there is the reputational harm to consider, as well as the possibility of being fined by regulatory bodies.
In March this year, Tuckers Solicitors was fined £98,000 for failing to secure sensitive data that became the subject of a ransomware attack in 2020.
The Information Commissioner’s Office (ICO) found that the attack resulted in the encryption of 100,000 files, a quarter of which related to court bundles and included medical files, witness statements, and the names and addresses of witnesses and victims.
The ICO ruled that Tuckers had “failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
Ransomware attacks can have devastating consequences for law firms, including financial losses and reputational damage – and it’s not just the large, well-established firms like those in the examples above that are being targeted.
Nearly three-quarters of the UK’s top-100 law firms have been affected by cyber-attacks, and for smaller firms that have little or no dedicated cybersecurity and IT support, the risk of incidents like ransomware attacks is on the increase. It is therefore crucial to have procedures and systems in place to ensure you are fully protected.
How to protect your law firm from ransomware attacks
There’s a wealth of measures you can take to both reduce the risk of your firm being hit by a ransomware attack and limit the damage in the event of one occurring.
Ensure your data is backed up regularly and stored remotely. The best way to do this is to use a third-party cloud back-up provider that will store your data on remote servers, encrypt it at the highest available level of encryption, and ensure that the back-ups themselves cannot be infected.
Provide regular IT and cybersecurity training for all staff. Training is vital when it comes to guarding against ransomware attacks – make sure your staff are educated on how to spot phishing, scam emails, and provide regular refresher training too.
Use a VPN (virtual private network). This provides additional protection for those working from home or remotely, as VPN servers apply a layer of encryption that ensures any data you send and receive is secure.
Enable two-factor authentication on all devices connected to your firm’s networks. Passwords can be guessed and stolen, and as users have multiple online accounts requiring various credentials, they tend to use the same passwords for more than one account. Two-factor authentication adds a verification step that requires something unique like a fingerprint, or a one-time code.
Make sure you have a comprehensive business continuity/disaster recovery plan in place. Know exactly which systems, applications and data you would need to access first in the event of a cybersecurity incident. Ensure the plan is printed and stored safely or saved on a cloud system away from the network so that you can access it even if your usual networks are affected by a ransomware attack.