Due to the nature of their business, law firms possess a tremendous volume of valuable documents and data, which are extremely attractive to hackers of a variety of motivations. Successful cyber-attacks can cause a severe negative impact to a law firm’s operations and catastrophic damage to a law firm’s reputation.

According to the recently published 2020 ABA Legal Technology Survey Report, the number of law firms experiencing a known security breach increased to 29 per cent in 2020. The survey notes that “despite the ethical issues and pending challenges, the use of certain security tools remains at less than half of respondents,” and only 36 per cent of the respondents have committed to cyber insurance policies.

This paper seeks to help all organisations and institutions, not just law firms, better understand the threats they face and why they should work toward better cyber hygiene, and a more proactive incident and threat management strategy. First, I review why law firms are attractive cyber targets and how compromising these firms is a high priority to threat actors. I will define the concept of “cyber hygiene” and show why it is critical to maintaining IT security best practices. Second, I examine some of the more notable and notorious cybersecurity thefts and leaks in recent years as well as the easily avoidable weaknesses that led to these unfortunate events. Third, I argue that organisations and institutions around the world should be more proactive in their overall security strategy. Finally, I highlight key tactics for building a robust incident and threat management program.

What makes law firms vulnerable to cyber-attacks?

Law firms are natural targets of both internal and external bad actors. The documents housed on their corporate and personal computers are repositories of sensitive and potentially incriminating information. If a cybercriminal or nation-state is looking for confidential information regarding a potential merger or acquisition, breaching the law firm is made more attractive by the prospect of gaining access to the firm’s client information. Although not an attack on a law firm, the largest sustained global cyber espionage campaign, referred to as Operation Cloud Hopper, showed how customers of global firms can also suffer significant damage from a strategic attack. Operation Cloud Hopper targeted IT-managed service providers who, in many cases, allowed direct and unfettered access to their customers’ networks. It’s easy to see how law firms, who have highly sensitive client data, provide threat actors both unprecedented visibility into multiple targets and a tremendous strategic advantage for future attacks. Obviously, this concern applies to many industry sectors and institutions around the globe.

The importance of cyber hygiene

“Cyber hygiene” is a prerequisite for a successful incident and threat management program. The worst thefts and infiltrations are often due to poor cyber security. In the same way that personal mental and physical hygiene maintain a healthy body and mind, good cyber hygiene practices keep computer systems up to date, promote full visibility and ensure data protection.

Cyber hygiene helps maintain best practices in keeping sensitive data safe from external attacks and in complying with the latest security standards, including monitoring access privileges on different applications and systems. Cyber hygiene will identify high-risk vulnerabilities and determine whether those vulnerabilities are present within an IT estate; it can also verify whether unencrypted PII (Potentially Identifiable Information) exists on unsecured systems. Moreover, diligently following cyber hygiene best practices helps maintain compliance with frameworks such as the National Institute of Standard’s Technology Cybersecurity Framework (NIST CSF) and ISO 27002/1. Overall, robust cyber hygiene lays the foundation for a successful threat management program within an organisation. Without it, the organisation is at considerable risk of successful infiltration and data theft.

A series of unfortunate cyber events

In 2016, an attack on the Mossack Fonseca law firm led to the breach of more than 11 million confidential and privileged documents, including emails, database files, PDFs and thousands of text documents. Based on reporting done by security researchers, there were multiple reasons for the breach, including external-facing servers running outdated software, while missing critical security updates. In other words, Mossack Fonseca did not have adequate cyber hygiene protocols and procedures as there was a clear lack of visibility across the estate, as well as missing patches and vulnerabilities including poor network segmentation.

In 2017, the NotPetya Ransomware attack, the most devastating cyberattack to date, infected hundreds of thousands of computers, including a major international law firm. Other large corporations such as the shipping giant Maersk, the pharmaceutical giant Merck, FedEx’s European subsidy TNT Express, the French construction company Saint-Gobain, food producer Modelez, manufacturer Reckitt-Benckiser and multiple government agencies were also targeted. The attack crippled ports, paralysed corporations, infiltrated government agencies and wreaked havoc on organisations throughout the world, inflicting more than $10 billion in total damages in the process, according to Wired magazine. The threat actors exploited unpatched vulnerabilities in order to breach systems across multiple organisations, as well as a vulnerability in Microsoft systems (aka CVE-2017-0144, whose patch had been released in March 2017).

Had these organisations implemented a robust patch and vulnerability management program, this devastating attack could have been prevented. (It is important to emphasise here that nation-state actors have shifted toward exploiting similar unpatched vulnerabilities rather than funding the development of a zero-day exploit.) Government security agencies later attributed the attack to the Russian military, saying it was “almost certainly responsible for the ‘NotPetya’ cyberattack of June 2017.” The effects of inadequate cybersecurity hygiene were felt across multiple organisations around the world.

Like NotPetya, many ransomware variants rely on unpatched vulnerabilities to successfully launch an attack. In recent years, the surge in ransomware attacks has been partly a result of vulnerabilities in external-facing systems. Threat actors have been able to leverage unauthorised permissions, move laterally within the environment and successfully launch a ransomware attack. On other occasions, these attacks have exploited the vulnerabilities in internal systems following a successful email phishing campaign.

Threat actors easily exploit weaknesses in security management programs, especially in those which fail to deploy patches early. A window is left open, and systems are vulnerable and easily compromised. The common theme of poor system visibility and inadequate cyber hygiene continues to be a significant problem for organisations. In the remainder of the article, I will address how security leadership should drive a culture of change to include security hygiene as a minimum baseline expectation across the offensive and defensive security teams.

A proactive security strategy

Despite increased budgets, better tools and more focus, many organisations still struggle with cyber hygiene basics, not to mention more advanced security tasks like detection and response. In fact, 71 per cent of organisations lack end-to-end visibility of endpoints and health. Moreover, employees sometimes install unapproved applications that can weaken an organisation’s overall security.

A proactive cyber hygiene program starts with an inventory of all hardware, software and applications, as well as a unified solution, providing visibility across these components to reduce the attack surface of an organisation. A solution that helps execute live queries, verify the total number of systems (including an operating system breakdown) and then quantify the list of running applications (including the list of user accounts across the identified systems), provides a clear view of the attack surface of an organisation. The IT and operations teams can then understand missing patches on the endpoints as well as system- or application-level vulnerabilities, the presence of full-disk encryption software and sensitive data identification such as PII. They will be able to work towards identifying systems that are not compliant with the organisation’s security policy. A proactive cyber hygiene program can drastically reduce the risk of missing security updates and improve the incident and threat management of an organisation.