Today’s legal sector was built on digitized information. Law offices are vast goldmines of sensitive and potentially highly-valuable data. Legal departments and law practices have also offered cybercriminals countless entry points by extending the reach of the corporate systems at law firms well beyond the traditional security perimeters.
Sensitive personal, financial, and legal content gets created, accessed and shared across a range of endpoints, including desktops, laptops, tablets, and smartphones. These often double as personal devices, compromising the firm’s control and increasing the risk of a breach of sensitive client data. Staff, contractors, and clients generally can access the law firm’s systems at any time and from anywhere in the world with a Wi-Fi connection.
Law firms are prime targets for easily executed scams. These include spearphishing and business email compromise (BEC) attacks. Cybercriminals no longer need to possess the necessary tools to identify an entry point into a legal firm’s system, because a brisk trade has developed in providing access to a supposedly “secure” law firm’s network for a fee. This has spawned yet another new dark web profession: the Initial Access Broker (IAB). In a typical posting, one such IAB recently offered access to a U.S. law firm with more than 2,000 employers and a turnover of over $445 million a year for a few thousand dollars. To locate a law practice in a specific country or with specific clients, the cybercriminals could also simply enter a darknet marketplace and filter out a host of vulnerable law firms with a general “Law” search.
But while the larger law practices and the in-house legal departments of large corporations and governments may offer the richest targets in terms of sensitive data, cybercriminals find smaller law practices are often far easier and still tempting pickings. Tax lawyers often hold information regarding the finances their clients that are highly damaging if prematurely exposed and which could result in criminal proceedings. Small firms of real estate lawyers that conduct property transactions are particularly vulnerable to BEC attacks. Organizations with ransomware insurance are sought-after targets by cybercriminals as they tend to pay up faster. As law firms are obliged to follow regulations in this respect, they face roughly double the risk of attack.
Many law firms still rely on very basic antivirus and anti-malware that can detect only a fraction of today’s advanced attacks. Such defenses can offer only very limited protection against newer techniques involving ransomware and are powerless against sophisticated highly-targeted attacks. Securing the rapidly growing number of endpoints outside a modern law firm’s corporate network has become a daunting task for small in-house security teams with limited funds.
To extend their defenses beyond antivirus solutions, law firms are incorporating additional tools including endpoint detection and response (EDR) and network detection and response (NDR), which detect lateral movement and other indicators that a threat actor may have infiltrated the firm’s network. But EDR and NDR products are notorious for creating false positive alerts. Siloed controls also mean more windows for the small security team to monitor. This means that security teams at law firms either chase down each and every alert or choose to ignore all but the highest risks, leaving themselves open to attack.
While this rapidly evolving threat landscape has become a challenge even for large legal firms, smaller security teams find it even more challenging, unless they move towards more automated solutions, with investigation capabilities. In the case of positive alerts, it’s essential that these are automatically remediated. Small security teams operating out of a single geography are also at a disadvantage when pitted against remorseless and around-the-clock barrages of attacks by extremely well-funded and highly-organized international groups of cybercriminals.
The trend of staff working off-premises accelerated during the recent pandemic when people were forced to work from home. As a result, small security teams need not only automated defenses, but also much greater visibility across their law firm’s newly-extended network. Our survey found that security pros working in small in-house teams are inundated by many of the same threats facing larger organizations, but lack the financial resources to consistently remediate them.
Companies outside of the Fortune 500 cannot afford the vast array of cybersecurity products required to protect their firms, and a growing number are adopting cost-effective extended detection and response (XDR) solutions that offer alert and incident correlation in addition to built-in automation. Rather than being forced to acquire and integrate a multitude of security products, XDR can offer small security teams with all the necessary protection capabilities out-of-the-box. By adopting automated systems on a single platform, even small security teams can offer law firms 24x7 protection inside and outside their traditional perimeters.
Bruno Darmon, chief strategy officer, Cynet