Duncan Woodhouse, CISO at SPG, summarises the key takeaways and insights shared on the panel discussion on ransomware at the The Global Data Privacy, Cybersecurity and GRC ConfEx.
The Global Data Privacy, Cybersecurity and GRC ConfEx brought together the voices of experts in security for the legal industry to discuss the key issues facing law firms and legal counsel and share best practice.
The presentations and panel sessions covered everything around GDPR, looking at the impact of Schrems II on international data transfers and how to apply the PbD (privacy by design) principal, through to advice on third-party risk management and building a governance, risk management and compliance roadmap. Among the events, I sat alongside senior legal professionals to discuss the increasing risk of targeted malicious software attacks (commonly known as malware attacks) on law firms. We not only spoke about prevention and protection but also advice on what to do in response to an attack if it does happen. Below, I have shared our top tips for law firms.
The threat of ransomware
The rise of cybercrime isn’t news, but it is increasing at an alarming rate. The dynamic has shifted in recent years to have ransomware as the greatest threat to cyber security for organisations, irrespective of sector or region. Last year, the ICO reported an increase from 13 to 42 ransom attacks per month.
Ransomware can be defined as a malicious software deployed to encrypt data, blocking an organisation from access to their systems or files until payment is made in exchange for the decryption key. In many instances this becomes a double extortion attempt as they also demand a second ransom in return for not publishing stolen data from the initial attack. Organisations are put in a highly pressured position, forced to pay the money, however, only 8% of organisations manage to recover all their data. The cost of recovery has now reached an average of $1.85m and this can be higher for industries such as law where the attack can trigger fines from regulators and cause reputational damage.
The situation in Ukraine is also cause for consideration as nation states battle in cyber space for dominance. Some of the most potent malware has originated from the region and could be used to further target organisations that are considered legitimate targets.
How prepared are law firms?
The ransomware attack on 4 New Square last year exposed the cyber security weaknesses of the legal industry. The case confirmed the growing trend that law firms are the latest industry to see increases in cyber-attacks on their business. As organisations that hold large quantities of both personal data and client funds, firms are being targeted for money, information or both.
What can law firms do to prepare?
The overarching take-away from the panel discussion was to be prepared. It may seem too simplistic, but you shouldn’t assume you’re not a target or that your technology teams have everything in place to stop a determined attack. There are two key parts of being prepared: prevention and planning. There need to be systems in place to both mitigate against vulnerabilities as well as respond quickly and effectively should an event take place.
Top tips for mitigating potential attacks:
1. Consider where all of your critical data is.
How data is stored is critical not just for compliance purposes but also for recovery. Law firms must consider what data is being collected, the systems in place to protect personal information and the back-up process.
2. Ensure you have considered further technical controls that target malicious software entering and executing on your network.
There is an increasing industry that provides protection against rogue software on the network, via email, network or ‘end point’ security.3. Make sure staff are well educated on the threat.
While cyber security can be complex and highly technical, it cannot just be on the agenda of the technology team. Every person within the firm must do their part to learn about and uphold security protocols. Formal training sessions should include what to look out for and be wary of, including links or documents in malicious emails.
Top tips for responding to an attack:1. Consider cyber security insurance.
The insurance space has expanded rapidly in response to the rising threat to offer cyber security policies. This can help with the impact both financially, but also from the perspective of having the right people on hand to deal with the incident, such as forensic experts and ransom negotiators.2. Make sure you have a list of all of your key contacts.
Often contact information is lost in the frenzy of dealing with a live incident. There must be a readily available contact list that includes all the internal people on an incident management plan, as well as external security specialists (if they are likely to be required) and important external contacts, such as key partners.3. Practice for cyber security incidents.
Plans are only as good as you make them. Each time you practice make sure everyone on your incident management plan is involved. Often people will say they are too busy, or their focus is fee earning. Impress on everyone the importance of practicing for events, you don’t want to be testing your plan for the first time on a live incident.
Shieldpay's technology-led solution provides Third-Party Managed Accounts (TPMA), corporate escrow and paying agent services across the professional, financial and legal services industries. Get in touch to find out more.
Join the conversation