top of page
  • Rosanna Hayes

Exploring Proactive Steps for Legal Services to Reduce Exposure to Cyber Risks

Last week, STORMs CEO Neil Hare-Brown, gave a presentation to law firms concerned with increasing cyberthreat to the legal sector, addressing cyber risk themes specific to the industry, and proactive steps to reduce exposure.

This article will outline Neil’s presentation, further addressing key concerns and the measures law firms can take to strengthen their resilience against attacks.

2021 saw no shortage of cyber incidents, with law firms being one of the most common sectors STORMs incident response teams are alerted to. The majority of attacks to the industry are Business Email Compromise (BEC), with ransomware also posing a substantial risk. In both ransomware and BEC incidents, data breaches are commonplace: a concern for legal partners.

Current trends

  • Q2 2021, saw a 233% increase in the daily average of ransomware attacks compared to the first half of the year.

  • Top ransomware types in Q3 2020, were REvil, Lockbit, and Conti.

  • Conti ransomware has been associated with more than 400 cyber-attacks against organisations around the world, frequently targeting hospitals, emergency medical networks and other organisations.

  • There was a 337% rise in phishing attacks on law firms during the first two months of lockdown (Solicitors Regulation Authority).

  • The amount of money pilfered in email scams in all their forms has been rising as much as 300%.

The vast majority of cybercrime is fraud, albeit a modern digital fraud, which is the reason for its massive growth.

With cybercrime perceived as a low-cost, low-risk proposition for criminal groups, is it any wonder Mafia controlled ransomware gangs are booming? With high returns and little chance of being brought to justice, cybercrime has now evolved into a Ransomware-as-a-Service (RaaS) business model, a pre-packaged and easy to deploy means of encrypting data networks, and the extortion of victims for payment. With limitations on cross-border jurisdiction affecting the enforcement of cybercrime, and the set-up of easy to tear down operations that can be re-established in a matter of days, tackling the rise in cybercrime is a challenge that must be undertaken at a global scale.

The tools, techniques, and procedures used to attack law firms

Cybercriminals use manual analysis and automated tools to profile their victims and plan their attacks and scams.

  • OSINT: Attackers use Open-Source Intelligence (OSINT) and other security checks to find their next target.

  • ATTACK-CHAIN PROCESS: A target is often identified as part of an attack-chain process. As an example, attackers hijack one firm's mail system and are then able to see which counterparty firms they’re dealing with. They can then use this mailbox as a launch point to attack these businesses and/or specific clients.

  • CYBERSECURITY ISSUES: Attackers identify surface cybersecurity issues, such as system vulnerabilities.

  • DOMAIN ANALYSIS: Cybercriminals register domain variants and create email addresses with these domain names, faking the identity of the firm whose site has been replicated. Domain analysis also shows up: configuration of mail systems, mail systems in use, system locations (on-premises, or in the cloud), which (if any) mail filters are being used, and whether there is any security configured. This information allows them to know how easy it will be to spoof email addresses and fake a firm’s corporate identity and associated staff.

  • INFORMATION LEAKAGE: Often law firms will list staff members on their websites, however they need to consider whether it’s necessary to have the finance and IT teams there, as these roles are heavily targeted for information.

  • WEB PRESENCE: Law firms acting on behalf of clients often advertise this on their website and in their news. This makes it easy for an attacker to (once they’ve spoofed the identity of the firm) send in fake emails and fee invoices.

  • THIRD-PARTY ASSOCIATIONS: If an attacker can see other third-party associations affiliated with the legal firm, these can also be leveraged to create convincing scams.

  • SOCIAL MEDIA: Attackers can harvest information made readily available on social media to build a picture of individual movements, such as holidays etc; intel which can be used to build convincing attacks. Social media is also a useful source of information on job roles and functions etc.

Key cyber risks 2021-2022


Ransomware is by far the most common incident and it is continuing to rise. STORM is seeing an approximate 10% increase in ransomware cases every month, and pretty much all of them involve data theft. This gives the criminals an extra lever to extort their victims, threatening to leak information to regulators, clients, and the press if they fail to settle the ransom demands.

Business Email Compromise

Mailbox hijacking is a very common incident driven by fraud, where attackers break into mailboxes looking for transactions either in progress or likely to be in future. In many cases, the initial point of compromise is weeks and even months before the actual attack, as they gather information and carefully plan the fraud. Attackers can also harvest business-critical information, sensitive personal information, and other data from emails and attachments as another lever to extort their victim.

IT service providers & cloud vendors

The number of attacks against online providers is on the rise, and so it’s important to look at these vendors and understand their cybersecurity controls and procedures. Cybercriminals perceive IT Service Providers as a valuable target. With their access to client IT systems and networks, ITSP’s are viewed as being likely to pay out in the event of this data being compromised. In fact, ITSPs are likely to represent an insured's highest single cyber risk.

Key cyber safeguards

Addressing ransomware

One of the first things ransomware attackers do - either manually or in the automation of the ransomware - is seek out and encrypt the backups, so it is vital that data backups are held offline.

If they’re network connected, then you’re very likely to suffer from those being encrypted before anything else. Segment your networks so that if you do suffer an attack the effects will be limited, and ensure strict control over admin accounts, so that the number in use on your networks is minimal. Enable Multi-Factor Authentication (MFA) across all online accounts, and strictly limit the use of administrative accounts, ensuring remote access is only available via VPN with MFA.

Addressing BEC

Implementing MFA is an effective control, although there is no silver bullet in security.

There are rare incidents where attackers manage to learn the one-time codes, however, MFA still makes up for the extreme insecurity of passwords. Again, implement MFA on all online accounts: mail systems, case management systems, accounting systems, HR systems, etc. If you have any vendors providing cloud services to you that don’t support MFA, then find an alternative vendor. Ensure your email filters are all protected and enact regular staff training, and phishing tests.

Addressing service provider risk

Perform Due Diligence on Service Providers. With third-party IT service providers, you can be in control of the contract.

Make sure they have professional indemnity cover, and they’re obligated to let you know about any incidents they suffer and to support you in the investigation of an incident. Request the training and qualification details of all the staff accessing your systems, and if they are performing security duties for you, ask for their cybersecurity certifications. This can all provide assurance that the ITSP is going to provide a secure service and reduce your risk.

For cloud service providers, check they have the right accreditations: do they have ISO 27001 (international standard for Information Security Management), are they covered under the payment card industry certifications, and do they have ISO 9001, which would give you an idea if they’re running quality processes. Also, make sure they have encrypted your data and that it’s segregated from other firms’ data. Implement MFA on all online accounts and ensure you use a different password for each account too. Offboard from, and shut down accounts on systems you don’t use, deleting all data and ensuring your vendor can provide assurance that they have done the same.

Have a plan

Have a cyber incident response plan, with a list of specialists you can rely on in the event of an attack, making sure you understand what might be needed depending on different types of incidents.

Senior management and crisis management teams may need different plans from IT teams who will need a variety depending on the incident.

STORM Incident Response Services

In the event of an incident, STORM Guidance host a range of services to assist with every aspect of an attack.

The incident response teams follow steps to coordinate the investigation and recover IT and lost funds.

  • Our team attends a call with your management and IT specialists.

  • We agree a plan for action where recovery is paramount, and evidence preservation is key.

  • Recovery strategy and objectives are agreed, and resources are obtained to ensure the return of business-as-usual.

  • We begin to execute the recovery strategy, building new operational case management systems for example, and then migrating all existing clean systems into it.

  • Our investigation proceeds, uncovering the point of compromise as well as containing and eradicating any further security issues.

  • Our legal and crisis PR specialists work with management to formulate and execute a notification strategy for regulators, clients, and other third parties.

  • We also begin ransom negotiations to obtain Proof of Life of stolen data, proof of decryption, to win time for notifications, and to consider options.

  • Systems are recovered and a comprehensive investigation report satisfies insurers and regulators. Reputational harm is minimised.

  • Upon recovery, we also provide victims of crime counselling to staff who have suffered trauma.

How can firms contain their exposures?

Cybercriminals are searching for weaknesses in their victims’ people, processes, and technologies. Become a hard target.

Undertake a comprehensive cyber risk assessment and ensure to do this regularly. Assess your online presence with an Attackers Eye View™ scan, enabling you to actively defend your business against data breaches and fraud.

Build and test a cyber incident response plan that covers the strategy, the tactics, and the operations. Work towards improving your cybersecurity in key areas, such as regular data backups that are isolated from your networks, arranging the backups for optimum recovery, and performing regular ‘test restores’.

And we cannot stress enough; deliver regular user training with cyber threat awareness and phishing tests. STORM prepares organisations to respond to cyber incidents through immersive exercises and attack simulations. Our scenario-based drills ensure your procedures are understood and effective. Should a cyber incident occur, we will continue to assist you with our incident response services.

Let's talk

If you would like to discuss any of the issues addressed in this article or would like to find out more about STORM, you can reach us at:

Alternatively, you can find out more about our services here:


Subscribe to STORM
cyber security insights

Stay informed on the latest trends in digital security, cyber insurance, incident response and more with our industry leading insights, blog and webinars.

bottom of page