Keep Vigilant and Carry On: How Law Firms Can Learn from Cybersecurity Cautionary Tales

Looking back at the past year of cybersecurity incidents and breaches, it is clear that hackers are getting smarter and more creative. Legal IT professionals can learn from these examples and strengthen their firm’s security network and protocols accordingly.

As appeared in Law.com on August 1, 2022

By Jessica Mifflin, Aderant

According to the Ponemon Institute and IBM’s Cost of a Data Breach Report 2021, the average total cost of a data breach increased from $3.86 million to $4.24 million in 2021. The report indicates a 10% year-over-year increase in the average total cost of a breach. Personally identifiable information (PII) breaches now have a cost of $161 per record for organizations. The average number of days it takes to identify a breach increased from 287 days to 316 days as the pandemic forced many into remote workforce situations. If peace of mind is what you seek, these numbers are headed in the wrong direction.

If businesses, including law firms, could identify and contain a breach within 200 days rather than the aforementioned 316 days, they could save up to 30% on costs associated with the breach. However, just when you think you have security under control, another threat emerges, forcing you to change course. Being in a state of constant vigilance is not easy, but legal IT professionals need to approach security as a daily 24/7 battle they must continuously fight. This is the only way to avoid becoming the next cybersecurity cautionary tale.

Looking back at the past year of cybersecurity incidents and breaches, it is clear that hackers are getting smarter and more creative. Opportunistic “bad actors” prey upon both individual users and organizational networks, wreaking havoc and ultimately costing companies money, time, and reputational damage. By examining some of the biggest security snafus of the past year, legal IT professionals can learn from these examples and strengthen their firm’s security network and protocols accordingly.

SolarWinds: SolarWinds is a network monitoring software, and hackers compromised a software update that customers downloaded directly from the company’s website. Believed to be directed by Russian intelligence, the hackers used the update as a vehicle to slip malicious code into the SolarWinds software, thereby propagating a massive cyberattack infecting each system it touched with backdoor malware. Through the attack, hackers gained access to SolarWinds’ own systems, those of their clients, and beyond.

Lessons Learned from SolarWinds: Receive and apply security updates in a timely manner. Instill strong security practices within the development team and harden build environments.

Colonial Pipeline: One of the most impactful cybersecurity events in 2021 was the ransomware attack on the Colonial Pipeline, which halted operations for five days and resulted in a temporary fuel shortage across the East Coast. Hackers gained access to a VPN account password, granting them access to the company’s network and used it to take down Colonial’s entire infrastructure. Mandiant, a well-known security research firm, believes the account and associated password were ironically no longer actively in use, but the credentials were still enabled, allowing access to Colonial’s network. The password used by the hackers was discovered in a batch of leaked passwords on the dark web. Just over a week after their systems were taken down, Colonial received a ransom message asking for 75 bitcoin, about $4.4 million, which they paid within hours.

Lesson Learned from Colonial Pipeline: Disable all unneeded accounts and passwords within 24 hours of them no longer being needed or used. Also, use multi-factor authentication for all user logins, a strong control which should be deployed across all accounts.

Log4Shell: Log4j is an open-source Java-based logging utility provided by Apache that is widely used in many software applications and services. Log4j records events and communicates diagnostic messages to system administrators and users. Log4Shell is a vulnerability in log4j which hackers exploited to allow third-party servers to submit software code that performed various nefarious actions on a targeted computer. Targeting IP addresses in the U.S. and several other nations, the hackers essentially took full control of Log4j clients’ systems and sent malicious content to the systems or users with which they communicated. The widespread use of Log4j and the ease of exploit gave this vulnerability the maximum score within the common vulnerability scoring system. This attack happened in December 2021 right around the holidays, a time when many people are typically on vacation, so it had companies scrambling to determine impact and remediate as quickly as possible.

Lessons Learned from Log4Shell: When Log4Shell hit, security solutions providers notified clients of the vulnerability so they could quickly investigate their entire environment and infrastructure to determine if Java was in use or not. The use of scanning solutions and scripts to identify instances of Log4j also contributed to quick diagnosis and remediation of the problem. The key here is to be able to scan and examine your own systems quickly and communicate with your third-party integrated solutions, suppliers, and business partners to determine if they were impacted.

Russia/Ukraine Conflict: In addition to the person-to-person physical atrocities taking place in Ukraine, Russia has also engaged in cyberwarfare targeting Ukraine infrastructure and government. Because of various sanctions and the United States’ opposition to the war, there are obvious concerns that Russia-aligned hackers could target U.S.-based organizations. The Cybersecurity and Infrastructure Security Agency (CISA) has warned state and local governments as well as aviation and energy providers to be on high alert, for good reason.

Lessons Learned from Russia/Ukraine Conflict: This is an ongoing situation that is still developing and evolving. US-CERT from CISA is a good resource that provides updates related to Russia cyber-activity. Companies should also rely on their security solutions providers for updates and alerts. Security tools in use should be calibrated to alert on any anomalous activity so companies can be notified in real-time and respond accordingly.

Phishing and Ransomware: Phishing attacks are responsible for more than 80% of reported security incidents. According to CISCO’s 2021 Cybersecurity Threat Trends report, about 90% of data breaches occur due to phishing.

According to the IBM Report, the total average cost of a ransomware attack is $4.62 million—almost 9% more expensive than the average cost of a data breach.

As per Sophos State of Ransomware 2021, the average ransom paid by mid-sized organizations was $170,404 while the average cost of resolving a ransomware attack was $1.85 million. This cost includes downtime, people time, device and network costs, lost opportunities, ransom paid, etc.

Many phishing and ransomware attacks originate because of individual end-user mistakes. Just one clicked link or leaked password could allow hackers to gain a foothold.

Proper training on how to avoid such attacks is key to protecting your organization. Just as important, however, is training users on how to respond to attacks if they do become compromised. Here are key best practices firms and their users should keep in mind to best avoid and respond to such attacks:

1. If a suspected breach occurs, immediately disconnect from the network, disable Wi-Fi, unplug cables, turn off Bluetooth and put PCs and devices into Airplane Mode.
2. Shut down all network-connected devices. Whether in the office or working remotely, users should turn off their machines and disconnect externals such as USB drives, phones, cameras, etc. which could also be compromised.
3. Have the user take a photo of the ransomware message and report the attack to the security incident response team (SIRT) or IT from a different device NOT affected by the attack.
4. Educate users on emergency response training, including how to report ransomware to the SIRT or IT. This includes a dedicated SIRT email box, instant message option, and/or phone number. Consider tagging all laptops with this information.
5. Advise users to avoid the following in potential ransomware scenarios:
   1. Turning off devices, as data may be needed for forensic analysis.
   2. Clicking on any link, responding to the message, or forwarding the email to anyone else, even IT.
   3. Reporting incidents from the infected device.

Keep Vigilant and Carry On

Law firms need to carry on conducting business despite ubiquitous security threats. Prevention is obviously the best path, but diligent efforts to avoid a breach or attack do not always yield a flawless result. Learning from a constant barrage of security threats, ongoing training of users, and continually making improvements to harden security provide the best chance for law firms to avoid becoming a cautionary tale. Being prepared to spot, mitigate, and remediate security threats quickly and effectively will stand a law firm in good stead to keep vigilant and carry on.

Jessica Mifflin CISSP, CISA, PMP is Director of Information Security and Privacy at Aderant. She is responsible for the protection of IT and information assets and the overall information security strategy at the company. With over 15 years of experience in information security leadership roles, she has overseen vulnerability management, risk management, IT compliance, incident response, and IT governance functions.