Chris Hannett is a director of the 'active cyber risk management' company Cymplify and has worked in the cyber security field for over a decade.
In this article he gives us an illustration of what happens when a law firm is successfully attacked, told in the voice of an imaginary law firm’s managing partner. (7 February 2023)
(Note: Chris and others were interviewed on this topic in the webinar Risk protection including cyber security on 9 February 2023.)
“The moment I switched on my laptop, I knew that we were in serious trouble. The message that flashed up on my frozen laptop screen that morning was unequivocal. Our firm had been attacked, all of our systems and files had been encrypted and our entire ability to operate was locked. The message then gave the instructions for paying the ransom in crypto-currency Etherium, in order to receive a ‘key’ to unlock everything. It said our firm had 24 hours to pay, or else the ransom price would increase each hour.
“Thoughts rushed through my mind. How did the attacker get into our system? Were we insured against an attack like this? Should I pay the ransom? Would we really get all of our data back? Did we have back-ups? Would the back-ups work? How good was our contingency planning for an attack and how out-of-date was it? Who should I tell? And so on.
“My mobile phone did not seem to be affected. My first call was to my secretary, asking her to tell certain people in our team that we were in this emergency situation.
“Next I called our IT support company and spoke to a director there on his mobile. He told me he would call back as soon as he had looked into it, meanwhile he would call our web hosting provider and our cloud service provider.
“Then I had a quick look at our PI insurance policy, as we keep a hard copy of that. Cyber was mentioned, but there did not appear to be any specialist support available as part of the policy. (In 2023 standalone cyber insurance is much more commonplace.)
“The rest of my team was now arriving. We dug out our plan for a cyber attack and skimmed through it. In fact it was a general business continuity plan. It used a templated approach that covered fire, flooding, power cuts, loss of a computer, and yes, a cyber attack. But it was badly out of date and had only a few details added in. A box-tick in other words, no doubt done at a time when we were all extremely busy. The author had helpfully included links to all sorts of other documents, such as our asset register and a list of staff’s home and mobile phone numbers, but those documents were now inaccessible.
“One team member was tasked with calling Action Fraud, to get immediate advice. Their helpline has a live incidents option, which enables you to get through to an adviser immediately. She asked a series of questions to confirm the exact nature of the attack. Then she suggested that we should read the appropriate advice sheets from Action Fraud’s ‘Resources and information sheets’ page; and she said that she would pass her summary of our firm’s attack on to the National Fraud Intelligence Bureau (NFIB), which Like Action Fraud is a unit within the City of London Police. We were told that our local police force would also be alerted, and/or the National Cyber Crime Unit.
"I asked our COLP to contact our insurer and report the incident and to seek any help from that quarter.
“We then quickly worked out roles for the other members of our team. Most people went off to borrow laptops that were not part of our firm’s network, so we could see what (if any) access we had to any of the systems we use, then immediately try and educate ourselves on what the issues were.
“Of course, almost all of the advice was about how to prevent an attack from succeeding in the first place (advice that we obviously wished had been heeded before this happened): identifying all the systems and fixing potential weaknesses, training the team in how to spot phishing attacks, having a complete recovery plan including roles for each member of staff and printed out lists of who to contact and their contact details, and then testing out the plan using exercises such as the National Cyber Security Centre’s free ‘Exercise in a Box’.
“We ran through the NCSC’s ‘10 crucial questions’ list. Question 5 was alarming: Have your customers noticed any problems; can they use your services? What if emails were being sent out in our name, asking for payments to be made and so on? So we called a few friendly clients, and quickly established that our website was down, as was our email and our client portal, but there were no signs of any emailing.
“Meanwhile our IT support company, or managed services provider as they call themselves, was busy trying to work out how the hacker got in, and starting to set up an alternative network. But they were worried that our back-ups might already have been infected with malware that would let the attacker back in. They said that professional hackers who come across a potentially lucrative target like a law firm (with its client account full of money and masses of extremely confidential personal and financial information on its servers) tend to wait six months on average before striking. This gives the attacker time to get to know the firm, how it works, what deals are being worked on, and where everything is kept. Malware can be planted into the data that is being backed up, while the attacker gradually gets into more and more parts of the network, waiting patiently to find the best time and method to attack.
“There were so many unknowns and it felt as though we were amateurs being attacked by experts. We almost decided to pay the ransom, because the cost per day of not being able to work, along with the damage to our reputation, was disproportionally high. We even made enquiries which made us believe that there was a good chance of being given the key if we did pay the ransom, whereas it was anyone’s guess how long we would be out of business if we did not pay.
“As it happened, our IT support company were confident that they could re-set our equipment, reinstall the software and upload our backed-up data. Vital elements like email could be up and running within 24 hours and gradually more and more data and systems would be tested and reintroduced.
“They said that the source of the problem was an item of hardware with old, unpatched software on it. That was the ‘open window’ that allowed the attackers to gain entry to our system.
“And they did manage to get everything back up and running. I suppose our attackers were not that thorough after all, so we realise now that we got off lightly.
"We were careful to check who we needed to report the incident to. In our case we ascertained that our client data had not been breached, as it was all encrypted. So we did not have to report it to the SRA or ICO.
“I need not tell you that we are a very different firm now. For a start, we now have a standalone cyber insurance policy, which gives us instant access to a team of cyber experts in the event of an incident. But we never, ever want to have to go through that stressful cyber nightmare again, so we have taken a ‘belt and braces’ approach, just so we can all sleep at night. We are extremely diligent with monitoring and understanding our ongoing cyber exposure, with our Backup and Disaster Recovery plans (which now include a full Cyber Incident Response Plan), our software patches, our passwords, with restricting access to files and implementing Multi-Factor Authentication wherever we can, and with security generally. We are also now continuously training our people on Cyber Awareness and we are regularly testing both them and the systems themselves. It’s all part of the ‘new normal’, as they say.”
- NSC Cyber Threat Report: UK Legal Sector (June 2023, 24 pages)
- 10 steps to cyber security for law firms
- Cyber security for law firms FAQs
- Webinar recording: Risk protection including cyber security (February 2023)
- Solicitors Regulation Authority cybercrime resources