With Remote Access, Are Firms Risking a 'Backdoor' to Ransomware?
Law firms may think phishing attacks are their top cybersecurity concerns, but cybersecurity experts say thieves are also targeting their remote monitoring and management tools for critical client data.
February 03, 2020 at 12:30 PM
3 minute read
Allowing remote computer and network access in law firms allows lawyers to work outside the office and grants IT access to remotely fix everything from a minor administrative issue to a cyberattack. However, it may not be all benefit. After all, utilizing manage service providers (MSP) for remote monitoring and management (RMM) can be a backdoor for cyberattackers, many of whom have their sights on law firms.
While remote administrative tools help productivity, they still represent the most risk for law firms, said Mark Sangster, vice president and industry security strategist of eSentire Inc.
Indeed, ransomware recovery firm Coveware reported in Q4 2019 that one strain of ransomware called Sodinokibi has a "deep specialization" in compromising and exploiting RMM tools used by managed service providers in small and large enterprises.
Despite the growing threat, many law firms are operating under the assumption that phishing attacks are still their top security concerns, Sangster noted.
"Most firms are laboring [under the idea] that a lot of attacks and ransomware comes through phishing, which is true but the phishing, if its involved, is step one, [and] at some point they are going to pivot to those remote monitoring tools." He added, "I think the assumption is because it's under administrative control, it's safe."
To be sure, cybersecurity experts say bad actors are targeting their remote access abilities not only to elicit ransoms, but to also exploit law firms' sensitive client data.
"The information they hold is so valuable," said Michael Hamilton, co-founder of cybersecurity solution company CI Security, of law firms. "They know about mergers and acquisitions, intellectual property and upcoming financial transactions. The valuable stuff isn't the ability to extort them but to monetize the information they can steal."
Still, law firms can take certain steps to ensure their MSPs aren't a backdoor to their data.
Cybersecurity experts contacted by Legaltech News agreed strong authentication is crucial for a MSP to confirm any activities on its network are legitimate. They also recommended ongoing cybersecurity audits and testing to properly manage their risks.
Along with thoroughly vetting a MSP, law firms could decrease the amount of "live connections" a MSP has to a client, said Gary Salman, CEO of cybersecurity provider Black Talon Security. Instead of being able to instantly access a computer, an employee would send a request through a web portal, he explained.
It's an "old-school approach," Salman said, which may increase response time but may prevent unintended intruders from having instant access to a firm's network.
Still, as the threats targeting legal grow, cybersecurity professionals say law firms are unlikely to drop their MSP or remote monitoring features.
"I think the economics of outsourcing that are pretty compelling, especially if you are a five-person shop. You aren't going to hire an IT person or security team," Hamilton said.
Larger law firms with multiple offices must also weigh the benefits of having IT access various offices remotely against the risk of criminals exploiting that convenience, eSentire's Sangster said.
"You are put in between a rock and a hard place. They [hackers] know you have to use it and you have to have it, and that's why they are going after it."
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1$1.9M Settlement Approved in Class Suit Over Vacant Property Fees
- 2Former Wamco Exec Charged With $600M 'Cherry-Picking' Fraud
- 3Stock Trading App Robinhood Hit With Privacy Class Action 1 Month After Alleged Data Breach
- 4NY High Court Returns Fired Priest's Discrimination Claim to State Agency
- 5Digging Deep to Mitigate Risk in Lithium Mine Venture Wins GM Legal Department of the Year Award
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
