<img src="https://secure.leadforensics.com/161977.png" alt="" style="display:none;">

If the past few months has proven anything, it’s that the cyber threat landscape can completely change overnight. Each user is now a separate perimeter in what is most likely an unsecure home network, and organisations have lost significant amounts of visibility of their users’ endpoints. Cybercriminals know this and as a result we’ve seen the number of compromised networks more than tripling between January and March.

What has it meant for law firms?

Law firms will always attract cybercriminals due to the information they hold. Personal information is the most targeted, as it’s the most lucrative for a number of different kinds of financial fraud. The 2020 Verizon Data Breach Investigation Report (DBIR) found that financially motivated attacks on law firms has increased from around 50% in 2016 to 93% in 2019. But law firms are also being used as an attack vector themselves, said by Robert Hannigan, former director of GCHQ, in May 2020 and pointing out that

The law touches every part of the economy, so law firms are connected with every company, institution and government at some level.

As we move out of lockdown and a semblance of normality resumes, more organisations are looking to move to a proactive Secure Access Service Edge (SASE) approach for networking and cyber security – rather than the traditional perimeter-based and VPN approach – to provide secure internet access wherever their users decide to work.

Multiple reports show that cyber defences in the UK legal sector are improving but, as always, there is still work to do. The 2019 Crowe Report studied 200 of the UK’s biggest law firms and found more than 90% have exposures in their security, leaving ‘troves of secret client information vulnerable to hackers’.

So, what’s the answer?

Spend more money and throw more technology at each new problem? Process is far more important than technology in approaching cyber security. Technology is an integral part of a security posture but without clear processes and an understanding of your own organisation’s appetite for risk, it’s very hard to know the correct technologies in which to invest.

Let’s take a step back.

The DBIR found that 40% of breaches that occurred in law firms were due to misconfigurations. So nearly half of successful breaches in law firms could be stopped by ensuring existing solutions are configured to best practice.

How often have you been checking your configurations? I met with a Top 200 UK Law Firm who hadn’t once had a best practice assessment on their best-of-breed firewalls in the three years since they bought them. It wasn’t their fault; their incumbent IT MSP hadn’t informed them on the importance of such measures, so they didn’t understand the risk, and small IT teams already have too many responsibilities to be cyber security experts also.

Furthermore, the flurry of activity to mobilise remote workforces and provide access meant more configuration changes in a week than most organisations see in years. As the threat landscape changes, so do the best practices. What was best practice on Friday 20th March had changed completely by Monday 23rd March. Configuring solutions to best practice is a highly effective security method, and it means you’re able to maximise the utility of the solutions you’ve already paid for.

Vulnerability Management can provide visibility and context

An area in which law firms are improving is patch management, according to the DBIR, with 67% of patches completed in the first quarter from those being first made available from the manufacturer (10% higher than overall average). But patch management isn’t the same as vulnerability management. It’s not typically slow patching that causes issues, it’s assets that aren’t picked up by network scans and/or legacy systems that never get patched that are likely to create exploitable gaps for hackers.

New vulnerabilities are discovered every single day so you are never going to have a clean network. No IT team has the time to manually prioritise remediations. Most rely on CVSS scores but with hundreds of new vulnerabilities each month – Microsoft alone has averaged 115 CVEs monthly for the last six months – the most important thing is understanding context rather than a static score of 1-10.

Which vulnerabilities are actually exploitable? Which of those can be exploited by a Novice? Is there a known exploit kit available to download that a script-kiddie can run? How old is the vulnerability? Exploitable Vulnerability Management enables you reduce your attack surface in the quickest and most efficient way.

Continuous scanning is important too, you want to discover assets and exploitable vulnerabilities as soon as they hit your network. In the 2020 Verizon Data Breach Investigation Report continuous vulnerability management was placed at the top of the list of things to implement to address this year’s findings.

What happens when someone successfully breaches your organisation?

Unfortunately, there’s no silver bullet (despite what some vendors may claim) and you should assume you will be breached in some form, eventually. But when that does happen, how can you detect and stop it before any serious damage is caused?

Attacks are becoming more sophisticated and increasingly difficult to investigate. Enterprise law firms can afford in-house SOCs but they’re not exactly feasible for mid-market and regional law firms. Managed Detection and Response (MDR) is becoming more popular, having a dedicated 24/7 outsourced SOC full of security analysts will undoubtedly dramatically increase the security posture to those that can afford them and are highly recommended.

The International Bar Association also recommends all law firms to implement a Security Information & Event Management (SIEM) to audit logs. SIEM solutions are no longer resource-heavy and requiring lots of bums on seats, but actually can be easily deployed and utilised by small IT Teams to do a huge amount of heavy-lifting. Stitching together DHCP, LDAP, AD and DNS logs alone provides granular visibility into endpoint activity to individual users, including what applications they use and when.  SaaS-based SIEMs can enable IT teams to not only recover the visibility they had prior to the lockdown but to gain complete end-to-end visibility of their network and users, enabling the detection of a breach in real time and the ability to quarantine remote devices with a single click. New disruptive technologies have meant SIEMs are also commercially viable.

In Summary

  • Law Firms will always be high up on the target list for hackers
  • 40% of breaches can be avoided by following best practices and checking configurations regularly
  • Vulnerability management can provide visibility of all assets in your network infrastructure, across multiple environments, and can drastically improve the time in which exploitable vulnerabilities are remediated
  • Due to the sensitive nature of information held by law firms, MDR or SIEM are vital in gaining visibility of user behaviour and detecting and stopping breaches in real-time

If you would like to book a cyber security review to understand where your gaps are and to get help creating a roadmap to design a layered approach to security, please do get in touch.

Speak to the team»


/ Insights / Opinion /

What is an Infinite Enterprise?

What is an Infinite Enterprise?

According to Gartner Magic Quadrant Leaders, Extreme Networks, we are all firmly in the era of the Infinite Enterprise. But what exactly is the Infinite Enterprise and why should organisations want to become ‘Infinite’?

/ Insights / Opinion /

Office Working - the future is a Hybrid Model

There’s a buzz in the air.