When law firms suffer a security breach, it makes the headlines. Thankfully, the numbers appear low, but is that the true picture or just the tip of the iceberg? Is any firm not required by regulations to make public the breach, prepared to admit they have been hit and risk reputational damage?

And there’s the problem. Without complete transparency, how can anyone be sure of the risks and success rates of criminals, as it’s unlikely they will go public with their successes, unless they are trying to force a ransom from their victim by threatening to release sensitive data.

According to Lindy Cameron, chief of the UK national cybersecurity centre, things might be about to get even worse, as she recently reported a worrying new trend, ‘ransomware as a service’. It appears ‘professional’ hackers now offer a variety of ransomware at a reasonable cost or for a share of profits from successful attacks.

Non-tech savvy criminals can join the modern crime wave, buying from malicious developers without having to invest time or money in learning the necessary skills. This ensures more criminals, making more attacks, with more sophisticated ransomware and that has to be concerning for any organisation connected to the internet. Or with lots of people working from home.

Cameron warned of criminals conducting comprehensive reconnaissance on targets to identify cybersecurity weaknesses, before launching attacks to access to networks and find business-critical data to encrypt for ransom, along with the backups that can help mitigate a ransomware attack.

The chief of the UK national cybersecurity centre warned criminals may even research cyber insurance policies to see if a target is covered to pay ransoms. This chilling thought may explain the increasing popularity of law firms as targets.

Criminals know a good target

Criminals recognise law firms fear not only the financial loss associated with a breach, or from buying a decryption key, but the potential reputational damage.

Hackers also know law firms are risk averse and generally insured, at great cost, for every eventuality. So is it inconceivable to believe that many will have cyber insurance policies, which by their very nature may cover payment to retrieve data and stem the loss?

By attempting to mitigate the impact of an attack, law firms may well be putting themselves in the crosshairs and making themselves targets for criminals who have little to lose and much to gain if they get lucky just once and find a security hole or zero-day vulnerability.

As with most things in life, prevention is better than cure and the same is true for cyber security. Do not wake up tomorrow and wish you had done more, when there is still more you can do now.