Why are law firms being targeted by cyber criminals?

David Ford


News of another successful cyber-attack in the legal sector, this time on listed law firm Gateley plc, again highlights the risks faced by all businesses, but particularly those that hold large quantities of sensitive client data.

The cyber-attack on Gateley, which was discovered quickly by the firm’s in-house IT team, saw only a small amount of client data stolen before it was traced and deleted from the location to which it had been downloaded.

However, although the result could have been much worse, the fact the firm has to inform all its clients what has happened and whether their sensitive data has been compromised, highlights the potential risk of reputational damage for law firms suffering attack and loss.

This is only the latest in a string of high-profile cyber-attacks affecting law firms. Earlier this year, global giant Jones Day had gigabytes of sensitive client data stolen and made available to journalists, although the loss was reportedly part of a larger hack on file-sharing service provider, Accellion.

Recognising the opportunity

There remains an ongoing debate as to the origin of most cyber-attacks, but whether it’s organised crime gangs, government-sponsored foreign actors or lone-wolf hackers, there is little doubt that the pandemic has witnessed a significant increase in activity, particularly against law firms.

Whilst hacks on big law firms are headline news, all firms are targets for criminals because of the nature of their business. The confidential client data gathered during corporate transactions and the sensitive data retained following family law and private client work are valuable targets for criminals.

These criminal now recognise law firms not only risk financial loss through compromised funds transfers, or having to pay a ransom to buy a decryption key, but the risk of reputational damage is likely to ensure they meet the hackers demands in an effort to keep their legal business alive.

Whilst the big firms will attract more attacks, they are also the firms likely to have the best defences, with cyber-security a board-level concern. Which is why criminals are undoubtedly turning their attention to smaller firms, who often lack the specialist expertise to prevent a sophisticated attack.

In October 2020, report from the American Bar Association, the largest voluntary association of lawyers in the world, found 29% of US law firms reported a security breach. More than 20% were unsure if they had been breached, with 36% reporting past malware infections.

Of course the true picture could be worse, as many firms will be reluctant to report attacks, successful or otherwise, for fear of damaging their reputation in the eyes of their clients – bear in mind Gateley’s share value dropped around 8% following news of the breach.

Considerations when facing cyber-attacks

Cyber-attacks come in many forms and even though ransomware attacks have taken recent headlines, many others will be equally damaging to law firms through the potential loss of sensitive client data.

Some of the most damaging attacks are those involving an undiscovered breach, such as the 2020 SolarWinds hack. This attack allowed hackers to spend months exploring numerous U.S. government networks and private companies’ systems around the world, before the breach was discovered.

Which is why finding potential weaknesses in organisations’ systems before the hackers target them, is the best first step beyond existing anti-virus and firewall measures. And this should include testing staff to ensure they understand their responsibilities in preventing a successful attack, which will typically fall into one of the more popular categories:

– Phishing: criminals use emails to target large numbers of organisations with generic attacks attempting to obtain sensitive information or gain access to client funds by pretending to be a trusted known source.

– Spear-phishing: fraudulent emails appear to be from an individual or business known to a specific target organisation, designed to infect devices with malware or persuade victims to hand over information or money.

– Ransomware: this type of attack targets computers and smart phones, encrypting the devices until a ransom has been paid. The attacks typically spread via unsolicited emails, with employee clicking on genuine looking links.

– Websites: recognising more than half of all legitimate websites have unpatched vulnerabilities thanks to administrators failing to secure them fully, cyber criminals exploit these vulnerabilities to infect users of the site.

This is a quick overview of attack types and a subject we will cover in much more detail in subsequent articles as attack vectors are always changing. Defeating the criminals is a tough test of any in-house IT team, without specialist support and there’s where we come in.

After testing for weaknesses there are a number of valuable cyber security measures that can be deployed, such as enabling two-factor authentication, backing up data, along with ensuring software is patched and maintained. Training employees on best security practices is also critical.

Each of the attack vectors commonly used by criminals will require different preventative measures, which is why a single comprehensive solution makes life simpler for those firms that recognise multi-vendor solutions can fail when they become too complicated to integrate successfully.

Again we will cover the most valuable actions in a series of blogs on the topic and if you want to be kept informed, please sign up to our newsletter. In the meantime, one of the best defences to a ransomware attack is an effective, immutable backup which you can read about here.