When it comes to protecting client data, law firms will face myriad cybersecurity threats in 2018. But one threat — ransomware — is growing much more quickly than others.
Ransomware is a type of cyberattack in which a hacker encrypts a victim’s files in order to extort money from them in cryptocurrency like Bitcoin. Because it has proven profitable and simple to use, ransomware has enjoyed exponentially greater popularity among hackers over time.
A report by Cybersecurity Ventures estimated that ransomware damages worldwide would total $5 billion in 2017, which would be 15 times the damages incurred two years earlier. By 2019, ransomware costs will total more than $11.5 billion, and every 14 seconds, a business will face a ransomware incident, according to the report.
That only increases the likelihood that law firms of all sizes could face a nightmare scenario of having their critical documents and emails held hostage. For law firms, time is money, and every hour that attorneys can’t access their files to serve clients poses significant losses, according to Denver-based attorney Mark Spitz.
Spitz, a former general counsel for Pomeroy IT Solutions and a sole practitioner focusing on cybersecurity counseling, said that law firms are especially vulnerable to ransomware because they tend to have dated cybersecurity practices in general.
“Law firms tend to be behind the curve when it comes to IT,” he said. “They tend to not invest as much in it as other companies might.”
While it’s debatable that what hit them was technically ransomware, DLA Piper’s “Petya” incident provided a wake-up call last summer to law firms large and small. The malware had the global firm’s emails on lockdown for nearly a week.
In many ways, ransomware isn’t becoming more sophisticated, but rather simpler and easier to use, which will only make it more prevalent. Hackers can now download turnkey kits that they can modify and then use as off-the-shelf ransomware, Spitz said. One example is Hidden Tear, an open-source ransomware code whose variants saw much use in 2017, and even inexperienced hackers can use it effectively.
“It’s not a sophisticated kind of attack,” Spitz said. “And it’s becoming simpler and easier for people to use because they’re seeing the value of these attacks.”
But one way in which hackers are becoming more sophisticated in using this malware is in how they penetrate a business’ network. In what’s known as social engineering, hackers research individual targets at a company using information on their social media profiles. They then use that information — for example, that the target belongs to a certain bar association committee — to disguise the email as one from another committee member and spoof the source, Spitz said. This “spear-phishing” practice makes it all the more likely the target will click on a link or attachment that will download the malware or ransomware.
As the probability that law firms will experience a ransomware incident continues rising in 2018, there’s much they can do to reduce their vulnerability, Spitz said.
Check your data backup procedures
Law firms should be cognizant of how frequently their data is backed up and how it’s done, Spitz said. If they have to recover their files to work around the ransomware encryption, they should consider how current those files would be once they have retrieved them.
Also important is the location of the firm’s backup storage. If the backup connects to the firm’s own network, Spitz said, that data might also be compromised. A lot of firms are backing up their files at a cloud service or another secure third-party server, however there’s currently an ethics debate over whether that sufficiently preserves the documents’ confidentiality, Spitz noted.
Train everyone at the firm, and regularly
When ransomware penetrates the firm’s network, it’s usually because it had an “in” through an attorney or staff member clicking an offending link or an attachment.
“Most ransomware is successful because of something a person [in your organization] does,” Spitz said. One of the most important prevention measures firms can make for ransomware and other cybersecurity issues in 2018 is to conduct regular trainings on them. The training shouldn’t be limited to the firm’s newcomers, but should instead involve ongoing presentations for all attorneys and staff.
To test their own effectiveness at preventing data breaches, firms might consider using an outside service that will send simulated phishing emails and report back on whether they were clicked on, Spitz said.
Review your cyber insurance coverage
Law firms may find that their insurers, under their current policies, won’t make them whole when ransomware freezes their operations. A small Rhode Island firm learned this the hard way when it had its documents encrypted for three months due to a ransomware incident.
Moses Afonso Ryan eventually made a claim to its insurance provider for $700,000 in lost billings, but the insurer would only pay the $20,000 max under losses caused by computer virus. The law firm sued the insurer in April.
Spitz warned that firms shouldn’t treat their cybersecurity coverage as one-size-fits-all.
“With general liability policies … there’s a lot of standardization, but not with cyber policies, because it’s a new area,” he said. However, that means there’s opportunity to negotiate with the insurer to provide different types of coverage for cybersecurity-related losses, he added.
Some of those different losses might include:
• Business interruption losses specific to malware or ransomware incidents;
• costs for data forensics experts to investigate the data breach;
• costs associated with notifying clients when there is a breach (which for large firms can be significant);
• legal expenses for defending a lawsuit associated with the incident;
• and coverage for the ransom payment.
Many attacks demand ransoms in the hundreds or thousands, but in the case of Moses Afonso Ryan mentioned above, the hackers demanded $25,000 from a 10-attorney firm, which it eventually paid. Insurance coverage for the ransom, if the law firm chooses to pay it, could have strings attached, according to Spitz. The insurer might require notification, or even have to approve the ransom payment before it will cover it.
— Doug Chartier