7 Cybersecurity Controls to Defend Your Law Firm Against Emerging Cyberattacks in the New Threat Landscape  

It only takes one mishap to leave your law firm and your client’s data vulnerable to cyberattacks. New vulnerabilities have emerged as law firms adopt new technologies and new workplace practices. Whether it’s on-premise servers, remote work, lazy password practices, or untraceable ransom via cryptocurrencies, these environments and practices have created a perfect storm leaving law firms fighting to protect their businesses. 

Why law firms are a prime target 

For midsize firms, ransomware poses a significant risk. These attacks encrypt your matter data, shut down your practice, and demand cryptocurrency ransoms. The fallout? Downtime, client exposure on leak sites, deleted backups, and systems left compromised. Beyond ransomware, firms are also facing: 

• Email takeover and payment redirection—Cybercriminals hijack firm emails to intercept trust account transfers and client payments. 

• Online payment system breaches—Especially from skimming on client portals or online billing platforms. 

As the threat landscape evolves, so do the cybersecurity controls required to protect your law firm. 

Laying the foundation: Basic cyber hygiene for law firms  

Doing the basics well builds a solid foundation for cybersecurity. This includes: 

• Practice management platforms that are cloud-based and have enterprise level security measures in place. 

• Multifactor Authentication (MFA) for email and remote access to your cloud-based platforms. MFA requires users to provide two or more identity verification methods when accessing data, no matter their location. 

• Commercial anti-virus installed everywhere. All technology systems in your law firm must have anti-virus software. You’re only as strong as your weakest link; if you have a computer left unprotected, it becomes a target for attackers. 

• Patch management for operating systems, browsers, and firewalls. Fixes vulnerabilities in the system’s software and applications. 

• Log retention. Keep track of activity on your system across all devices. This can help identify when and how the attacker got in. 

• System hardening. Minimizes the attack surface in your system to lower the risks of an attack. 

• Phishing awareness exercises. These bring awareness to what phishing attacks look like and lower the potential that your employees will fall for the attack. 

• Cyber liability insurance. Provides law firms with coverage in the case of a cyberattack. 

Emerging Cybersecurity Controls for Legal IT 

To take the next step, law firms can embrace the next generation of cybersecurity controls to keep their law firms safe: 

• Passphrases 
• Protective DNS Services 
• Enhanced MFA such as Conditional Access and Number Matching 
• Perimeter Filtering Controls 
• Endpoint Detection and Response Applications 
• Log Analytics with SIEM and MSSP 
• Cloud Backups 

Control No. 1: Passphrases 

The traditional way of creating “secure” passwords is outdated. Computers can now guess complex 8-character passwords such as “5p@rt3n5!” in less than 48 hours. 

Law firms requiring the use of passphrases is more secure and often easier to remember for users. An example of a passphrase is “flying purple snail gallon.” Using a computer to try and guess a passphrase can take over 1,000 hours. Passphrases may reduce the risk enough that frequent password changes are unnecessary. 

Here’s an example where this is effective for law firms: 

Password spraying is a brute force attack using common passwords stolen from the web, often released via the dark web, to attempt to log into accounts until it finds a match. Law firm employees using passphrases reduces password re-use and weak passwords, which can be especially vulnerable to a brute-force attack. Passphrases don’t require combinations of cases, numbers, and symbols to be strong. 

Control No. 2: Protective DNS Services 

Protective DNS services scrutinize the reputation of the server you are attempting to connect to. If the website seems dangerous, the protective DNS will return you with a “server not found” message. 

Here’s an example of where these are effective for law firms: 

Hackers count on users becoming numb to multiple verification steps every day to access their accounts. In a Man in the Middle attack, hackers use fake law firm websites to mimic login screens to steal client login information. Protective DNS Services prevent that from happening, blocking fake sites from loading. 

Control No. 3: Conditional Access and Number Matching 

Controlling how and when an MFA method is sent to law firm employees reduces the chance that they will look past the attempt to log in. 

• Conditional Access Control 
• Systems realize when you actively use your accounts and only request MFA if it seems unusual. 
• Number Matching 
• Instead of clicking “yes” to get past MFA, the MFA will ask for a number on both ends. 

Conditional access and number matching is especially effective for law firms when attackers bombard law firm employees with hundreds of MFA notifications hoping that the user will acknowledge the MFA to get rid of it. This attack relies on the traditional MFA of simply clicking “yes” to approve the login. 

Control No. 4: EDR Applications 

Endpoint detection and response (EDR) applications provide advanced firewalling, application whitelisting, and host intrusion monitoring. 

This software uses behaviors to identify potential hackers. Behaviors include attempts to run suspicious scripts, elevate privileges, and exfiltrate data. EDRs stop and detect hackers with a small foothold on your network poking around looking to lock you out of your applications and data. 

Here’s an example of where these are effective for law firms: 

In a  Living Off the Land attack, hackers use features in legitimate software such as Windows to attack instead of viruses. This avoids and bypasses anti-virus software. The goal is to blend into the network. EDRs can detect this unusual activity and shut it down. 

Control No. 5: Perimeter Filtering Controls 

Perimeter filtering controls allow users to implement and configure a next-generation firewall to control outbound traffic. Perimeter filter controls include: 

• Blocking malware command-and-control protocols 
• Content filtering, to block links to malicious websites 
• Default-deny strategy for non-law firm protocols, which allows the bare minimum required traffic for the network 
• Geographic blocking, based on region 
• Remote-host reputation analysis 
• Threat analytics, which provide insight into active threat actors, new attack techniques, vulnerabilities and more 

Here’s an example of an attack in which perimeter filter controls are effective for law firms: 

In a command-and-control server attack, hackers take control of an infected machine or network channels through a backdoor or covert channel. By doing so, they can send commands deleting backups or even shutting down networks. Command-and-control attacks are usually launched with malware installed through phishing or other common cyberattacks. 

Control No. 6: Log and Event Analytics 

Log and event analytics can be used to sift through data to identify potential deviations from normal activity, such as those in command-and-control attacks. 

A Security Information and Event Management System (SIEM) collects and stores logs from servers, workstations, and network devices. It monitors network traffic and mines the data in real time to identify suspicious events such as password guessing, scanning, and suspicious applications. 

Partner with a Managed Security Service Provider (MSSP) such as Sikich for the upkeep of your law firm’s system and security in the cloud. MSSP’s offer 24/7 live reviews and can escalate alerts. 

Control No. 7: Protection against Encryption or Destruction of Backups 

Attackers will often target your law firm’s backups to ensure that you don’t have access to the data they are trying to steal or lock you out of. Investing in systems such as cloud-based backups that require MFA and traditionally won’t let users delete an entire backup with a few keystrokes is a must to protect your law firm. Another option is to move on-premises backups to a “hardened enclave” protected from the rest of the network. 

Ready to Assess Your Firm’s Readiness? 

Contact Sikich to learn how they can help you protect your law firm. They offer a free 30-minute consultation to: 

• Evaluate your current security posture and controls 
• Identify gaps in foundational and advanced protections 
• Compare your risk profile against peer firms 
• Prioritize action items that align with legal industry standards 

Protect your firm. Secure your reputation. Let’s start with a conversation.