Law Firms and Ransomware

Protecting Your Law Firm from Ransomware

Ransomware attacks occur when cyber criminals hold your data to ransom by encrypting it and demanding money for its decryption / release.

The best example of a Ransomware attack – which is one of the fastest-growing areas of cyber crime – is the WannaCry cyber-attack which devastated the NHS and many other institutions last year.

With Ransomware attacks, there are fewer barriers to entry for budding cyber criminals to try their hand at digital extortion – alarmingly ransomware “toolkits” are readily available on the Darkweb and other dark corners of the internet, making it easy for amateurs to get in on the act and launch their own attacks.

In addition, the increating popularity of “cyber economies” creates a potentially untraceable but lucrative, redeemable commodity.

The number of ransomware attacks on businesses is ever increasing – research by Kaspersky revealed that a business is attacked with ransomware every 40 seconds. Equally concerning is another statistic that 71% of companies targeted by ransomware attacks have been successfully infected.

This can only mean that many firms cyber defence firms and technologies are struggling to keep up with the ever changing threat landscape.

So far as law firms are concerned, the impact of such an attack can be more devastating than to other businesses due to the heavy reliance on data, confidentiality, and the perception of stability which is vital to uphold. The financial, reputational and structural pillars of a law firm are at risk.

A survey conducted by Datto and Timico last year, which included 250 law firms and 750 other UK businesses, revealed that:-

More than 25% of law firm victims of ransomware attacks ended up paying cyber criminals £5,000 or more to retrieve their data.
A third of ransomware victim law firms lost access to their data for more than a month, while 14% said it was “unrecoverable”.
88% of law firms who were hit by this kind of attack experienced systems downtime of a week or more.
53% estimated it cost their firm between £1,000 – £2,000 a day in lost revenue, due to systems being down. A third of law firms could not estimate the overall cost to their business, describing it as “unquantifiable”.
The effects of the attack were almost instant with 68% stating their data systems went from fully functional to essentially useless within seconds or minutes.

For regulated businesses, the stakes are higher. The access to a firm’s confidential client data by an unauthorised outsider poses a significant threat to client confidentiality and therefore SRA compliance and data protection compliance (a problem which will be magnified under the EU GDPR).

Can Ransomware Threats Be Mitigated?

Ransomware can be transmitted in 2 primary ways:

1. Traditionally, via fraudulent emails which relied on untrained, or unsuspecting staff clicking on a malicious link or attachment.

2. More recently, cyber-criminals found a way to breach a security vulnerability in sofware operating systems. The Wannacry outbreak is a perfect example of such an attack using Microsoft’s operating system as an entryway into an organisation’s systems.

Our advice is that in addition to security patching and update policies, staff training, security technologies and company policiessuch as regular (daily!) data backups and emergency protocols, i is vital that law firms have a sound Cyber or Data Incident Response Plan.

If your firm has been a victim of a Ransomware attack, then you will need immediate expert assistance.

Share this:

Related