A four-step guide to how law firms can limit their exposure to further cyber theft and legal liabilities after an attack.
For legal professionals, the latest widespread ransomware attack hits close to home. DLA Piper offices across Europe and the United States were crippled by ransomware in what was the first publicly acknowledged law firm victim of the attack. It is too early to tell if DLA Piper is the only firm to be affected, but its breach speaks to a broader vulnerability law firms across the globe face against increasingly sophisticated cyber threats.
And while many law firms are building out their cybersecurity defenses, it is far from clear whether they will be ready once an attack happens. It is often the steps taken post-breach that can most limit a law firm’s damages, but what exactly do those steps include? Here is a look at some of most important actions law firms should take immediately following a cyberattack:
1. Hire experts to understand the extent of the damage.
After a cyberattack, having a clear picture of what data was and wasn’t breached can protect a law firm from publically understating or overstating its severity. This can limit client ire, reputational harm and legal liabilities that come with having to correct the record.
But understanding what transpired during a breach is a tall task, and as Robert Cattanach, a partner at Dorsey & Whitney noted, one best left to the experts. “The No. 1 thing to do after an attack is get an independent assessment of its consequences,” he said. “It is too important a topic to rely completely on your own IT resources.”
Cattanach noted that while law firms’ “internal IT capabilities are usually very good, they don’t do forensic examinations for a living.”
Further, having an inexperienced IT department handling the post-breach assessment is “like having somebody walk all over the crime scene,” he added.
2. Investigate the attack’s scope.
Though ransomware attacks like the one experienced by DLA Piper seem solely focused on locking down data in lieu of a payment, underneath the surface, they can be far more active.
“Ransomware attacks can often serve as smoke screens or distractions serving to mask other nefarious operations, which may result in the theft of data,” said Austin Berglas, senior managing director and head of the cyber defense practice at K2 Intelligence.
As an example, Jason Smolanoff, senior managing director and global cybersecurity practice leader at Kroll, pointed to a type of ransomware that takes screenshots on the computer it has infected. “If you have client data open while the ransomware is trying to affect files or executing on your system, it is potentially capturing sensitive data.”
Bringing in forensic experts to uncover just how deep ransomware penetrated into a system, even if its reach seems limited, is therefore a must in any post-breach response.
3. Identify and fix exploited vulnerabilities.
Under state breach notification laws, law firms who suffered an attack must understand what data was lost and communicate this to affected parties. But under American Bar Association ethical rules, law firms must also make sure that client information is not potentially comprised again.
To this end, law firms need to perform what Cattanach called “after action review,” i.e. an assessment of how the firm’s defenses were bypassed. The review should answer a core question: “What was the process or the procedure that failed, and why did it fail?”
The review highlights the weak link within a firm’s cybersecurity program, whether it be human error, ineffective defenses or unpatched operating systems like those exploited in the Wannacry attack, and can form the starting point for future improvement.
4. Triage backups and stop malware spread.
Having a recovery system regularly backup data is the only way to protect against a ransomware attack. But even more vital is ensuring that the system is “separated and segregated” from other systems prior, during and especially after an attack. This, Smolanoff said, is when the risk of ransomware spreading is still real.
In addition, law firms should try to halt a malware’s spread by cutting it off its distribution channels. One of the most widely-used deployment mechanisms of such malicious files is through highly effective spear phishing emails, which trick a user into opening a malicious attachment file.
On the chance that phishing emails are still being sent to users on a network, Smolanoff advised “blocking file extensions [in emails] that normal users have no business opening.”
But there are many ways to stop the spread. DLA Piper, for example, turned off all its network servers and ordered all firm computers and systems to remain off in its worldwide offices. An abundance of caution, after all, is necessary until one knows exactly how to plug their weak point.
Contact the reporter at email@example.com.