The SRA report revealed that “half of the firms were found to have allowed unrestricted use of external data storage media”, with hackers stealing £4 million of client money so far.

The risk is high for legal practices, which means ransom is more likely to be paid out, and the demands of malicious cyber actors, or group demands, will be met. Lawyers need to keep all notes on a case, and hackers are keen to exploit it by exfiltrating data.

Compared to other industries, those within the legal sector have an elevated risk of cyber threats, primarily due to the confidential data and sensitive client information available if a breach is successful.

According to the SRA data, legal practices depend on reputation and the relationships, but the report has found that security is “not often at the top of the priority list for legal practices”.

In 2017, DLA Piper, one of the world’s largest firms, was hit by a ransomware attack that cost the firm millions. It was a significant ransomware attack as the “EternalBlue” hacking tool had been used to conduct the breach, which cost the firm both directly and indirectly. According to TitanFile, EternalBlue “was rumoured to have been stolen from the NSA, and other methods to increase its reach and cause its damage”. In the past five years, cyber threats have only evolved and become more sophisticated, which emphasises the need for legal practices to be proactive with threat hunting, rather than reactive.

The Legal Services Global Market Report has revealed that the legal industry is expected to “grow from $713.12 billion in 2021 to $788.94 billion in 2022 at a compound annual rate (CAGR) of 10.6 per cent”. With infiltration being made via ransomware, phishing supply chain attacks, most cyber threat actors are driven by a potentially substantial financial payoff after a successful breach.

According to SRA, Campbell Conroy & O’Neil PC is a significant example of the many legal practices hit by a ransomware attack in 2021. The company was unable to access files that were critical to their clients and contained personal information following the breach. The legal practice issued an announcement regarding the breach, which confirmed the gravity of the situation and the lack of knowledge surrounding the amount of information lost.

VIEW ALL

“We cannot confirm if the unauthorised actor accessed or viewed any specific information relating to individuals. However, we determined that the information present in the system included certain individuals’ names, dates of birth, driver’s license numbers/state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials (i.e., usernames and passwords),” Campbell Conroy & O’Neil PC stated in the announcement.

Corrupt emails containing malicious links are usually the method in which phishing attacks are directed at the legal sector.

One of the major challenges is conventional security tools that are only capable of detecting known cyber threats using rules and signatures. Evolving strains of ransomware mean such signatures may not exist and can be undetectable. Additionally, security teams cannot keep up with these threats using the traditional controls alone, especially when understaffed or out-of-office.

According to the latest Chartered Institute of Procurement & Supply (CIPS) data, supply chain attacks rose by 42 per cent in the first quarter of 2021 in the US. Exploitation of third-party data stores, case management systems, or legal software providers is one of the ways a law firm’s supply chain can be compromised.

Finally, two forms of internal threats emerged via current and former employees. A trusted employee who unintentionally breaches data comes down to a lack of education/training internally, as the user is unaware that their actions are causing the business harm.

In other scenarios, information has been leaked intentionally by ex-employees for their own gain. Payment or coercion from a threat group could have motivated the individual, or the attack could be down to a personal grudge against the organisation/individual within the company.

According to the Identity Theft Resource Center (ITRC), “supply chain, phishing, and ransomware attacks reflect a broader trend that cyber criminals want to exploit multiple organisations through a single point-of-attack”, indicating that internal cyber security training, upgrading or bolstering security software is now an essential business practice.