Ed. note: This is the latest in a new article series, Cybersecurity: Tips From the Trenches, by our friends at Sensei Enterprises, a boutique provider of IT, cybersecurity, and digital forensics services.
Two New Law Firm Breaches in the News
On April 22, it was reported that midsized law firms McCarter & English and Stevens & Lee had suffered data breaches.
McCarter & English said it is actively investigating a network security incident that “impacted the availability of [its] computer systems.”
Leaders at the New Jersey-based firm said they restored key systems in the week after the incident occurred the weekend of April 9, including access to email. Their lawyers’ ability to perform services for clients was “not significantly impacted,” according to the firm.
“Upon discovering the incident, we took proactive measures to contain the incident and initiated an investigation. Law enforcement was also notified,” the firm said. “The investigation into the incident remains ongoing.”
According to the American Bar Association’s 2021 technology survey, solo and small firms continue to lag behind larger firms when it comes to their tech budgets, with only 43% of solo and 50% of small firms responding that they budget for technology, compared to the 65% of all firms indicating they budget in technology.
Our own experience is that even those who budget for technology don’t separately budget for cybersecurity defenses. While small and midsize firms consistently believe that they are not at great risk, they do not understand the mindset of cybercriminals. Law firm size doesn’t matter as much as the clients they serve and the extreme likelihood of weak security in smaller firms.
We know we harp on two-factor authentication, but it appears that McCarter & English’s data breach highlights the critical role that two-factor authentication can play in a firm’s cybersecurity. McCarter & English already had a multifactor system for authentication. However, after the incident, the firm migrated to a data security company Duo for onsite as well as remote access to the firm’s systems.
A report released by Duo states that multifactor authentication has grown significantly across industries in recent years, from 28% of respondents indicating use in 2017 to 79% in 2021. We are sure 79% of law firms are NOT using multifactor authentication. While the number of respondents using two-factor authentication for at least some applications shows a sharp increase between 2017 and 2021, only a minority of respondents, 32%, report using it on all applications that offer it.
While law firms are waking up to the need for multifactor authentication, they are waking up slowly – and still battling the “it’s too annoying” bleating from lawyers who should be more concerned about their ethical duties of technology competence and ensuring client confidential data. Cry all you want, but your cyberinsurance carrier will most likely force you to implement MFA or impose huge premium increases or deny coverage.
Stevens and Lee’s data breach consumer notification letter, dated April 7, 2022 (only recently made public) may be found here.
The breach took place in June 2021 and not much is known about it at present.
Cole & Van Note, a consumer rights law firm, announced on April 19 its investigation of Stevens & Lee Law Firm on behalf of its consumers/clients. According to Cole & Van Note, the private information of a very large number of people may have been stolen in the breach.
New Data on Breaks
Costs associated with data breaches rose from $3.86 million to $4.24 million on average globally in 2021, according to a report recently released by IBM. The cost of cyber insurance rose between 30-40% in 2021, with additional exclusions often part of the contract.
Mandiant reported in late April that it had identified 80 zero-day vulnerabilities exploited in the wild in 2021, an all-time high. In 2021, state-sponsored attackers exploited the most zero-day bug – and yet again, China had more zero-day exploitations (8) than any other country.
Lawyers should note that Microsoft says the attackers were exploiting zero-days to confiscate data from US-based defense contractors, law firms (emphasis added), and infectious disease researchers. China’s spying has become increasingly brash. Perhaps understandable in light of how occupied we are with the Russian war on Ukraine.
Mandiant’s M-Trends 2022 Report contains some good news. Enterprises are learning about the security breaches that affect them sooner. The bad news is that earlier detection is partly due to a function of the nature of the attacks, including an increase in ransomware attacks.
The global median dwell time (the median number of days an attacker is in a target’s environment before being identified)—fell to 21 days in 2021 from 24 days in 2020. The report is based on investigations tracked by the company between Oct. 1, 2020, and Dec. 31, 2021.
Over the past decade, Mandiant reports that median dwell time has declined a lot. In 2011, the median dwell time was more than a year. In 2019, the median dwell time was 56 days. Mandiant attributes the drop in the past few years to both improvements in enterprise detection and response and the increase in ransomware attacks. If you think about it, that makes sense. If the attackers are focused on stealing trade secrets, they want to remain hidden. But if it’s an extortion attack, they generally want to make themselves known and demand a ransom quickly, though they may seek to destroy backups and logs first!
The report found software exploits to be the most common point of an initial infection. According to Mandiant, 37% started with such an exploit, while 11% were the result of phishing attacks. Successful supply chain compromises rose, up to 17% this year from 1% last year.
Now that’s a striking stat.
Also, Mandiant found business and professional services (yes, that would include law firms) and financial services were the top targeted industries, at 14% each. They were followed by health care (11%), retail and hospitality (10%), and tech and government (both at 9%).
The main findings of the Sophos State of Ransomware 2022 global survey, which covers ransomware incidents experienced during 2021 included:
• Ransom payments were higher – In 2021, 11% of organizations said they paid ransoms of $1 million or more, up from 4% in 2020, while the percentage of organizations paying less than $10,000 dropped to 21% from 34% in 2020.
• More entities are paying up. In 2021, 46% of organizations that had data encrypted in a ransomware attack paid the ransom. Twenty-six percent of organizations that had the capacity to restore encrypted data using backups in 2021 also paid the ransom.
• The average cost to recover from ransomware attacks in 2021 was $1.4 million. On average, it took one month to recover from the damage and disruption.
• Eighty-three percent of mid-sized organizations had cyber insurance that covered a ransomware attack. In 98% of incidents, the insurer paid some or all costs incurred (with 40% covering the ransom payment).
• Ninety-four percent reported that getting cyberinsurance in the last year was tough, with greater demands for cybersecurity measures and more complex and expensive policies There were also fewer insurers offering cyberinsurance.
In light of continuing data breaches of law firms of all sizes, firms need to ratchet up their cybersecurity. Because the threats (and defenses) are always in flux, it is really an imperative to have a security assessment at LEAST annually and then to immediately remediate any critical vulnerabilities that are found.
If you think it is easy to convince law firms that these regular assessments are imperative, let us assure you that it is not!
Sharon D. Nelson (firstname.lastname@example.org) is a practicing attorney and the president of Sensei Enterprises, Inc. She is a past president of the Virginia State Bar, the Fairfax Bar Association, and the Fairfax Law Foundation. She is a co-author of 18 books published by the ABA.
John W. Simek (email@example.com) is the vice president of Sensei Enterprises, Inc. He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), and a nationally known expert in the area of digital forensics. He and Sharon provide legal technology, cybersecurity, and digital forensics services from their Fairfax, Virginia firm.
Michael C. Maschke (firstname.lastname@example.org) is the CEO/Director of Cybersecurity and Digital Forensics of Sensei Enterprises, Inc. He is an EnCase Certified Examiner, a Certified Computer Examiner (CCE #744), a Certified Ethical Hacker, and an AccessData Certified Examiner. He is also a Certified Information Systems Security Professional.