Ransomware: How to Defend Your Law Firm

The Bencher—January/February 2022

By Sharon D. Nelson, Esquire, and John W. Simek

Ransomware has been a constant curse for law firms, especially during the pandemic with lawyers working from home on networks three and a half times more vulnerable to attack. Law firms need to work on shoring up their defenses.

Good News and Bad News from Coveware

Coveware is a ransomware incident response firm that issues eagerly awaited reports each quarter. What was the good news at the end of Q3 2021? The average ransomware payment remained at $140,000.

Sadly, there was a cautionary admonition for law firms. Coveware says small and midsize professional services firms, especially law firms and financial services firms, appear most at risk from ransomware attacks because of their lack of cybersecurity preparedness, apparently because they think they’re too small to be targeted.

That thinking has always been wrong, but it is more wrong now. Why? Because governments and law enforcement are cracking down on ransomware gangs. Those efforts have intensified since the Colonial Pipeline attack in spring 2021.

Coveware says, “We have seen statistical evidence and intelligence showing that ransomware actors are trying to avoid larger targets that may evoke a national political or law enforcement response. This shift from ‘big game hunting’ to ‘mid game hunting’ is personified in both the ransom amount statistics but also the victim size demographics from the quarter.” In other words, ransomware gangs may avoid attacking the AmLaw 100, but not mid-sized firms that nonetheless hold very valuable data.

Changing a Law Firm’s Mindset

We were struck by this statement in the Altman Weil 2020 Law Firm Survey: “Most law firm partnerships don’t want to change, aren’t good at it, and by and large don’t think it’s necessary.”

Often, small and mid-sized law firms do not consider cybersecurity with the appropriate gravity. They will generally take some steps toward protecting their data, but they rarely go far enough—and they often protest the time and money involved in securing their confidential data.

There is irony in that thinking because the firms often do not consider the time and money that will be spent on responding to a data breach. These days, most successful ransomware attacks do constitute a data breach because the cybercriminals now routinely exfiltrate a law firm’s data before encrypting its data.

Change management is often difficult in law firms, which seem perpetually resistant to change. The pandemic changed that to some extent, as video conferencing, accepting electronic payments, signing client engagement agreements electronically, etc. became routine.

What Are the Fundamental Steps Law Firms Should Take to Secure Their Data?

There are critical steps that every law firm can take. The best first step is to make sure you are getting advice from a reputable cybersecurity company. You want the folks working on your security to have well-respected cybersecurity certifications.

Here are our most highly recommended security tips:

  1. Enable two-factor authentication (2FA) anywhere you can. It will stop 99.9% of all account takeover attacks.
  2. Make sure you have endpoint detection and response protection for all the devices connected to your network. This solution will monitor for behavior indicating malware or an attack.
  3. Make sure you have multiple backups, test them often, and always have at least one backup not connected to your network so it can’t be encrypted or destroyed.
  4. Apply updates and patches promptly—if you are concerned about them “breaking” something, have a third party test them.
  5. Control or disable network services. Don’t use Remote Desktop Protocol.
  6. Restrict privileged access and deploy a privileged access management solution.
  7. Do cybersecurity awareness training for employees at least once a year—twice is better.
  8. A great resource is CISA’s one-stop shop website: www.cisa.gov/stopransomware.
  9. Get a cyberinsurance policy, but be wary. Costs are escalating while coverage is lessening.
  10. Develop a comprehensive Incident Response Plan to avoid panic and mistakes if you do suffer a ransomware attack.

Sharon D. Nelson, Esquire, is a practicing attorney and the president of Sensei Enterprises, Inc. She is a past president of the Virginia State Bar, the Fairfax Bar Association, and the Fairfax Law Foundation. She is a co-author of 18 books published by the American Bar Association. She can be reached at snelson@senseient.com.
John W. Simek is vice president of Sensei Enterprises, Inc. He is a certified information systems security professional, certified ethical hacker, and a nationally known expert in the area of digital forensics. He and Nelson provide legal technology, cybersecurity, and digital forensics services from their Fairfax, Virginia, firm. He can be reached at jsimek@senseient.com.

© 2022 Sensei Enterprises, Inc. This article, in full or in part, may not be copied, reprinted, or distributed without the written consent of Sensei Enterprises, which may be obtained by writing Sharon D. Nelson, Esq.