After DLA employees lost access to computer and phone systems in a ransomware attack that affected organisations worldwide, we’ve spoken with cybersecurity experts to take an in-depth look into what this means for the global law firm and how it will affect the sector as a whole.
The latest ransomware outbreak, labelled Petya, comes only a month after the high-profile WannaCry attack let loose on the NHS. Originating in Ukraine, the virus attacked the country’s state power company and Kiev’s main airport, spreading out to numerous multinational companies across the globe, with some of the biggest names including Cadbury owners Mondelez, advertising giant WPP and pharmaceutical company Merck.
As one of the ransomware’s victims, DLA Piper are under serious scrutiny within the legal industry, particularly given that the firm recently published a nine-step cybersecurity guide following the WannaCry attack last month. Managing director at Crossword Cybersecurity Stuart Jubb has told us that: “In the longer term, this could really implicate the firm’s brand. Questions will asked on how secure their networks are and clients will reconsider whether they want their confidential data stored with their law firm advisers.” To make matters worse, DLA is also the first law firm to have made public a ransomware virus within its systems. However, speaking with an FBI Agent, Bloomberg’s Big Law Business discovered that DLA isn’t the only law firm to suffer a ransomware attack, and that “other law firms have avoided such publicity from such attacks by paying a ransom to hackers.”
This isn’t the first major cyber scandal to surface in the legal sector – Panamanian law firm Mossack Fonseca experienced a massive data breach that led to the Panama Papers scandal and a subsequent investigation into the firm. The type of attack however differed to Petya, and as it was likely carried out by insider with knowledge of its systems, this didn’t offer enough concern for firms to revaluate their strategy for data security. “This week’s attack will certainly have more of an impact to law firm attitudes than the Panama Papers did,” says Jubb. “And the more of these incidents that take place can only help firms take notice and realise that changes need to be made.”
This attack brings to a light a major issue that almost all global law firms face today. Peter Wright, the founder and managing director of DigitalLawUK, describes how office mergers and acquisitions have put firms at risk: “DLA were at risk because they operate under an awful lot of legacy systems, and contrasting infrastructure.” These legacy systems exist because firms are rapidly absorbing new offices, without effectively integrating their IT. “Problems arise because individual parts of the network are more vulnerable than others. You could find a whole city’s offices operating in an entirely different way to another”.
“It’s easier for a law firm to grow through acquisition rather than organically. And this issue isn’t just faced by law firms, Mondelez was also attacked, most likely because they also operate under a patchwork of different systems” Wright explains.
So what are the next steps?
It seems in order to remain protected firms must change their attitude towards security measures. Wright states: “You can’t just throw money at it. Firms change and evolve constantly so it needs be an ongoing effort and strategy rather than a quick fix.”
“There needs to be a shift in internal culture and mindset towards cybersecurity,” says Jubb. “And this can only come from the top down. It’s something that needs to feature on a board’s agenda.”
As cyber attacks continue to target and infiltrate global organisations, law firms must place more importance on their cybersecurity measures. An industry that relies so heavily on confidentiality and data, firms need to ensure that not only are senior management up to speed with the threats they face, but that there is a firm-wide understanding of these risks.
Crossword Cybersecurity is a technology commercialisation company focusing exclusively on the cyber security sector.
DigitalLawUK is a UK Law firm specialising in online, data and cyber law.