As threat actors use AI to escalate cyber threats, how can law firms protect themselves?
In the past year, new developments in technology have ushered in transformative possibilities for how law firms operate. Specifically, more firms have begun using – and, in some cases, developing – generative artificial intelligence (AI) tools. The technology has the potential to reform law firms’ relationships with clients and employees, as well as their competitive landscape.
Just as there is potential for law firms to benefit from AI, cyber criminals can gain from it too. The cybersecurity industry has been alert to the possibility that AI will be used in the commission and automation of cyber-attacks. What could this mean? James Doswell, Senior Cyber Risk Management Consultant at Travelers Europe, says an AI-driven attack could allow threat actors to unleash far more advanced and fast-acting malware on the organisations they target. While law firms might use AI themselves to manage, automate and analyse aspects of their security, there is still potential for this security mechanism to be trained by an attacker. As a result, law firms need the right protections against the cyber threats they face – and they must be able to implement them more quickly than before.
The risks are especially acute for law firms, which were appealing targets for cybercrime well before threat actors could harness AI in their attacks. According to research published last year by Cert-UK, the forerunner to the National Cyber Security Centre, 65% of law firms have been a victim of a cyber-attack, yet 35% of firms don’t have a cyber mitigation plan in place. Research from Cyfor Secure Cyber Security found a concentration of cyber-attacks against large law firms, with 90% of the top-25 UK law firms experiencing a threat. Smaller firms are vulnerable too: often viewed as easier targets, they may lack the infrastructure to prevent and respond to a cyber-attack, as well as the resources to recover from one.
That explains why 85% of the top 100 UK law firms cited that they were extremely or somewhat concerned that cyber threats will stop them from meeting and/or exceeding their firm’s ambitions, according to PwC’s Annual Law Firms’ Survey 2023.
“We are seeing firms increase their security through the recruitment of dedicated cyber security teams, implementation of new systems, and purchase of cyber insurance, amongst other things,” said Sharon Glynn, director and underwriter in the Bond & Specialty department at Travelers Europe. “This is at a financial cost for law firms, but when you consider the costs of a successful attack – reputation, rehabilitation, business interruption, restoration, to name but a few – the spend starts to look more like an investment. The crucial part is to ensure that each part of the defence system covers people, systems and third-party suppliers. The increasing sophistication of threat actors means law firms simply cannot afford any gap in their defences.”
Improving safety with layered protections
It is nearly impossible to prevent a determined cyber attacker. However, just as a person can take steps to minimise their risk of a home burglary, a firm can take action to minimise the likelihood, and contain the scope of a cyber-attack and subsequent damage it may cause. Security solutions all have pros and cons, so building up layers of protection in a well-planned structure can reduce risk – even from AI enhanced attacks.
An organisation’s cybersecurity protections will likely already include a combination of defences such as antivirus, MFA, to name but a few. Combined with up-to-date software and patching to remove vulnerabilities or enhance, the solutions chosen should complement each other to provide the depth of security necessary.
Proactive defence solutions, such as Endpoint Protection Platforms (EPP) in particular, can augment existing solutions to create exceptionally strong security architecture. They are used to prevent file-based malware attacks, detect threats, and can respond to security incidents as they happen. Some defences cope even if critical vulnerabilities are present that would normally provide an attacker full admin access to the system. These proactive solutions effectively lock down applications to only their authorised libraries on the computers being protected. This can provide exceptional protection against unknown threats such as zero day – or when there are very rapidly changing scenarios, such as a live attack.
As cyber risks evolve, human behaviour will need to evolve too – an elevation in staff awareness of phishing or fraud attempts is already taking place. Patching cycles will likely have to be carried out or secured differently – perhaps continually. Existing cyber protections will need to be reviewed on an ongoing basis to ensure they remain fit for purpose and deployed with no system left vulnerable. Employees will likely need additional education about the appropriate protections to use and how to apply them properly so they can make themselves harder targets. The firm may also have to review its cyber insurance protection and the steps it needs to take – both before an attack to limit risks, as well as in the immediate aftermath of a breach to access expert support quickly.
Anticipating the risks
Cyber risks are a moving target and will require continued vigilance from firms as threat actors employ increasingly sophisticated methods to target sensitive information. Even if AI-driven attacks haven’t yet materialised in law firms, it’s likely that attackers will eventually make use of this technology. AI has introduced both benefits and disadvantages when it comes to cyber risk, so it will challenge organisations to rethink their security and what checks they have in place.
As organisations weigh their threats, they must consider the business-critical information they hold, the risk to the business if that information is compromised, and their available resources to protect the business and recover following a cyber breach. Insurers can help clarify priorities. “Some security solutions suit certain circumstances better than others,” Doswell said. “I spend a significant part of my time helping clients assess their cyber threats and recommending appropriate protections. I also work closely with our underwriters to ensure we are keeping pace with the threat landscape. For our insureds, being proactive about cyber protections – understanding what works for the business, applying it correctly, and having additional safety mechanisms in place if something goes wrong will continue to be critical.”
Malware remains a significant threat to businesses. According to the AV Test Institute, there are over one billion malware programs installed worldwide, with 560,000 new pieces detected each day. The reasons are plenty: Malware can penetrate a network due to poor security practices, outdated patching, legacy systems that don’t allow for newer protections, or simply because threat actors are developing more sophisticated threats. A business’ endpoint devices, such as servers, laptops, desktops, smartphones and tablets, are especially vulnerable. More than 80% of cyber-attacks focus on endpoints, according to Cisco.
Cyber risks appear to have no limit since attackers constantly adapt, but firms can protect against the unknown threat by responding based on how malware works. Both EPP and EDR solutions work well, but in different ways. An EPP provides protection against both the unknown and known, whilst EDR focusses on detection and responding to incidents that have bypassed other security measures. If you follow nearly all malware attack paths, the progression relies on getting executable code onto a device and set to run. Antivirus, EDR, XDR and other security solutions allow a file to be written to disk, at which point they react to it, but a good EPP solution behaves differently. It is embedded in the ring 0 architectural layer of a system (see image) and can take full control of the input/output channel.
Windows security is built around ring architecture – the hierarchical layers of privilege in a computer system.
From here, it controls the write (or block) of every file, checking each one to see if it is executable. Whenever the system detects a specific byte sequence attempting to be written, the ‘unknown’ executable file is blocked by the EPP software and the computer remains secure. It operates quickly and efficiently compared to traditional antivirus checks because it only has to check for the executable header bytes of the file being written. If the bytes that signify the file is executable are detected, the EPP blocks it from being written.
This can be especially helpful if a threat actor uses AI to take advantage of a gap in a firm’s patching cycle. Doswell says that for most businesses, the patching cycle is monthly – and even when it is carried out methodically, there is typically a cadence between the release of a patch and its implementation. This could average between one and three days for critical vulnerabilities, and up to 14 days for others. “This is currently considered by most to be ‘an acceptable risk,’” he said. “But what if AI speeds up and improves the efficacy of these attacks – or even automates them?” An EPP can provide an extra layer of protection at those weak points, even if an attacker has administrator access to the network. It can provide significant peace of mind when so many risks are unknown.
Authored by Travelers
Disclaimer – The information provided is intended for use as a guideline and is not intended as, nor does it constitute, legal or professional advice. Travelers does not warrant that adherence to, or compliance with, any recommendations, best practices, checklists, or guidelines will result in a particular outcome.
