Observations for professional practice
As the Victoria and New South Wales governments discuss emerging from lockdown in time for Christmas 2021, a vast majority of legal practices and their lawyers will continue to work remotely. The question at the moment is very much about COVID-19 vaccinations and whether firms should or can mandate vaccinations for their employees and visitors once we are all allowed back into the office. Though no doubt an important issue to deal with, remote working has brought other issues to the fore, not least of which is the rise of ransomware.
This article briefly discusses the increase in ransomware attacks occurring to firms and their clients and offers some suggestions on raising awareness and managing the risks associated with ransomware attacks more effectively.
So what is ransomware?
Ransomware is a type of malicious software or malware which locks your data or makes data on your computer systems unusable unless you pay a "ransom" to have that data released or unlocked. There are lots of different "flavours" of ransomware and it is becoming more and more sophisticated.
Ransomware is generally delivered to an unsuspecting user's computer in the same way other types of malware or viruses are distributed. It may come in the form of an attachment to an innocent looking email or it can also infect your computer systems from malicious websites you visit. With a vast number of your workforce behind their desks at home since early 2020 the risks of malware including ransomware has increased markedly.
Once a user clicks on the attachment or visits the malicious site, the ransomware payload is released onto the user's system. When it has successfully locked the user's data a message will appear explaining to the user that their information has been locked and setting out what steps the user needs to carry out to release this information. Often the message will be time critical to encourage early payment. Payment details are included with the ransom often payable in Bitcoin or some other form of cryptocurrency.
What are the risks of a ransomware attack to my practice?
Many legal practices don't believe they present an attractive target and question why a threat actor would be interested in them in the first place. This could not be further from the truth. Yes it is correct that many high profile companies will often be deliberately targeted given their high profile or the information they manage and store. However, ransomware attacks are more often a crime of opportunity with thousands of "phishing" emails distributed randomly at any one time to unsuspecting email recipients. It is those users that click on suspicious links containing malware that unwittingly let the attack take place. The organisation is not itself being targeted, its users are the ones allowing the malware to do its work.
Firms will generally hold vast amounts of confidential client information which may be put at risk during an incident with many threat actors "ransoming" this valuable information in return for payment. The preservation of client information is vital to any legal practice and forms a key feature of our professional obligations to our clients. Any unauthorised disclosure or use of clients' information undermines the integrity of the practice and its lawyers. Such disclosure may result in complaints to the Victorian Legal Services Board and the other State equivalents.
Are there any relevant examples of firms being attacked by ransomware?
The most well-known ransomware attack against a law firm occurred in 2017 when DLA Piper came under attack following an update to the firm's payroll software by a Ukrainian accounting firm. A ransom of 300 Bitcoins was requested and all of the firm's systems were encrypted pending payment. At today's rate this ransom would have been $AUD18M approximately. At the time the ransom had an approximate value of $US300,000.
The firm was directly affected for about ten days with no access to email or relevant client files. It is not clear whether any ransom was actually paid or not and the firm insisted at the time that no client files or information has been compromised. Nevertheless the firm is likely to have spent considerable sums restoring its systems not to mention the impact such an event would have had from a reputation perspective.
There have been other well documented examples occurring more recently, particularly in the United States with a number of high profile firms compromised by ransomware attacks.
So what can firms do to reduce this risk?
First and foremost ensure ongoing and regular backups of your firm's data. Firms should look to ensure they have appropriate offsite recovery options in place so if the firm's primary site is impacted they have a backup to rely upon.
All of the usual security hygiene should be applied in the first place to reduce the risk of the malware infiltrating your firm's systems to begin with. Ensuring multi-factor authentication, adequate password protection, and ensuring software is updated regularly to fix exploits.
As noted above, given many attacks occur through email, it is critical to ensure that the firm's staff and contractors have a good level of security awareness. We recommend running regular "phishing expeditions" with staff to raise their awareness and build good habits around email management and internet use. Many organisations can assist with these types of activities. They can be rolled out quickly, don't take a lot of time out or your day and are fun to do.
The Law Institute of Victoria has dedicated information on its website for firms keen to improve their cyber awareness.
Increased staff training should be supported through appropriate policy development. Incorporating security obligations right through from on-boarding new staff to off boarding staff leaving the firm is important.
Incident response plans are a must have. Make sure these are regularly tested and are fit for purpose. An incident response plan sets out an agreed process for managing a cyber breach event and should also address how the firm will deal with a ransomware attack. Also remember to keep a paper copy. There are a number of organisations out there with brand spanking new incident response plans that cannot be accessed as they are stored electronically on a network now under lock and key from a hacker.
Finally, take the time to understand the genuine risk to your firm and what actions you can take to mitigate. Reducing the risks associated with ransomware attacks does not happen in isolation. It should form part of a broader cyber security strategy and needs to come from the top down. Specific responsibility for privacy and data security should be allocated at board level with sufficient investment in people, technology and process to combat this risk effectively.