Unfinished Business: The Pandemic Cybersecurity Gaps Firms Haven’t Filled  

While many firms have risen to the challenge of securing a remote workforce, some may not aware of the evolving threats on the horizon—or in their inboxes.

Background:

Business disruption plans weren’t made for a pandemic. And neither were law firms’ cybersecurity. The transition to a remote workforce last year left many firm scrambling to address their heightened cyber risks and plug vulnerabilities in their IT systems.

Almost two years later, however, it’s clear that firms have made great progress closing the gap. They’ve gotten their employees set up with secure devices, implemented VPNs, and expanded the frequency and scope of cybersecurity training, among other measures, all while tailoring those fixes to a more remote workforce.

But for all their success in meeting the challenge, a few worrisome oversights still remain. And it’s possible that some firms don’t even know they exist in the first place.

For one thing, firms may be underestimating just how advanced some phishing scams have recently become. “I think they’ve come a long way from where they were, let’s say December 2019, but there’s still a couple of gaps. One is they don’t understand how sophisticated these attacks are and how much harder they are to distinguish from what they would consider to be legitimate senders of legitimate traffic,” said Mark Sangster, vice president and industry security strategist for detection and response provider eSentire Inc.

He added, “I don’t know that they’ve truly come to terms with the adversary they face and how sophisticated, how targeted and how dedicated these criminal groups are.”

As one example, he pointed to a cyberattack in June of this year, where a cybercrime group named FIN7 tricked a firm into opening a fake legal complaint purporting to be from the Brown–Forman Corporation, a wine and spirits company. The email was not picked up by the firm’s spam filters, nor flagged as suspicious by firm employees, according to eSentire.

Such sophisticated attacks are even more troublesome because some firms, primarily smaller ones, still aren’t placing enough emphasis on cybersecurity training. “Many smaller firms aren’t… making sure their employees have a cybersecurity posture by using security awareness training, and sending out spam and spoofing emails to test their employees,” said Michael Glasser, equity partner at Frontline Managed Services.

He added, “I think a lot of smaller firms are still under the impression that ‘it can’t happen to me.’”

Still, training is most valuable if firms keep aware of the evolving ways cyberattackers are attempting to infiltrate them. “Whether they’re a small firm or medium-sized firm, they’ve always got to be on top of what’s going on in the industry so they can properly train their people,” said Gulam Zade, chief legal officer at Frontline Managed Services.

But it’s not just hyper-targeted phishing scams that demand more law firm attention. Sangster noted that law firm-specific infrastructure could also come under more threat in the near future.

“So in 2021, I called that the year of IT utility and infrastructure attacks. We had SolarWinds, Kaseya, and Microsoft and Citrix—all of those [companies] were all attacked and when their systems were infiltrated then the criminals could use those trusted systems to then infiltrate their client base, [which included] law firms in this case,” he said.

“What I predict is going to happen, and 2022 could be the year for it, is an attack where criminals target a specific infrastructure within a law firm. … So what happens, as an example, when they target a specific document management system or a specific time and billing system, and they are able to discover a vulnerability?”

To be sure, many firms are paying attention to the security of the legal tech systems they employ, and many legal tech companies have also made cybersecurity a priority in their products. But Sangster cautioned that “some of these vendors don’t have the same level of resources as major players like Microsoft or Citrix, so they need to be extra diligent.”

Unfortunately, it’s not unrealistic scenario—just last year, both an e-discovery provider and case management tool were hit by ransomware attacks.

By: Rhys Dipshan

Read full article here.