British law practices of “all sizes and types” have been warned by GCHQ’s cyberspy arm that their “widespread adoption of hybrid working” combined with the large sums of money they handle is making them a target.
They also warned that the connections these companies have with the “supply chain” of enemy states is also painting a target on their backs.
Yep, we’re also picturing their techies trying to persuade a solicitor who bills £1,000+ an hour not to use shadow IT.
The cyberspies released a report [PDF] yesterday saying that legal staffers starting to work from home in a process “accelerated during the COVID-19 pandemic” were more at risk from online attackers. Besides the mega cash transfers, the firms also often handle “sensitive information,” said the National Cyber Security Centre (NCSC), making them “particularly attractive targets to attackers.”
But the practices didn’t come in for the type of kicking dished out by big tech leaders, who have said WFH mandates are bad for morale and can stunt innovation. Instead, the NCSC noted that the “shift to remote working” had increased productivity across the legal sector, “with most staff being happier and no longer having to commute” as well as being “able to concentrate and contemplate better.” However, it added, this shift makes collaboration and communication more difficult, which is where criminals’ phishing emails and other attacks come in.
Smaller practices face a particular risk because of their reliance on external IT contractors, which makes it “challenging for them to assess for themselves whether the controls they have in place are appropriate to the risk they face,” the report adds.
The NCSC said it was “increasingly” seeing “hackers-for-hire who earn money through commissions to carry out malicious cyber activities for third party clients, often involving the theft of information to gain the upper hand in business dealings or legal disputes.”
“For their clients, they provide technical capabilities and deniability of involvement in the cyber attack were it to be discovered.”
Not just your everyday bad guys – enemy states too
The spy agency also warned that Russia, Iran and North Korea were all “using criminal actors for state ends, operating to raise funds and cause disruption using criminal malware techniques.”
The report goes on to warn that “major law firms are particularly exposed because they may be part of the wider supply chains used by nation states.”
It warned legal firms’ IT crews should:
The NCSC was formally launched in 2017, and is a part of the Government Communications Headquarters (GCHQ), one of the three arms of UK intelligence and security, along with MI5 (national security agents) and MI6 (aka the Secret Intelligence Service).
INSIDE GCHQ: Welcome to Cheltenham’s cottage industry
The NCSC once again cautioned businesses not to pay the ransom, noting “there is no guarantee that you will get access to your data or computer; your computer will still be infected; you will be paying criminal groups; you’re more likely to be targeted in future.”
It also warned the sector to keep make sure staffers can reset their own passwords easily as they will “forget passwords,” restrict users’ account permissions and data access to only those that are needed, implement multi-factor auth and to keep software, especially operating systems, up to date. “Set devices to ‘auto-update’, if you can, and apply security patches as soon as they become available,” it suggested. Offsite backups, and contacting NCSC itself if approached by attackers, was another piece of advice.
The group said IT should keep “strict controls over any means of remote access to your system,” and keep testing disaster recovery and backup plans regularly.
Lawyers were among those most at risk of being targeted by Pegasus, the software sold by Israeli firm NSO Group, which can extract all of a mobile device’s data and switch on its microphone to silently listen in on conversations, the report added.
The NCSC also warned firms to think more carefully about contractors and third party security, noting: “By far the greatest supply chain issue is a third party failing to adequately secure the systems that hold your sensitive data.”
In addition to asking the companies to institute the usual sensible security checks and to sign up the NCSC’s own Cyber Assurance scheme, it also asked businesses to get “senior leadership” such as board members, owners and partners to be more “engaged and informed about cyber security risk.” ®