Professional services firms, especially those in the legal sector, have emerged as the primary focus for cybercriminals seeking valuable confidential information. This trend is driven by the vast quantities of sensitive client data these organisations handle, ranging from details of mergers and acquisitions to trade secrets and contentious employment cases.
According to Holly Waszak, head of cyber claims advocacy at Marsh, insurers are actively engaging with law firm clients to pre-emptively warn them about the heightened threat. The nature of professional services work means these firms are perceived as high-value, information-rich targets, making them particularly attractive to malicious actors.
A notable shift in attack methodology sees groups, such as the 'silent ransom' collective, which includes Luna Moth and Chatty Spider, favouring discreet data theft over disruptive encryption. Waszak explained that these groups employ sophisticated phishing tactics, often impersonating IT help desk support, to trick employees and partners into granting remote access to their systems. Once access is gained, data is immediately exfiltrated without deploying ransomware, with the criminals later extorting victims by threatening to leak the stolen client information.
This is not an entirely new threat for the legal sector. In 2023, the prominent 'Magic Circle' law firm Allen & Overy (now A&O Shearman) was targeted by the LockBit ransomware group, which threatened to release stolen data. More recently, Stewarts Law reported incidents where criminals impersonated the firm to send fraudulent emails and faxes, exploiting its brand identity to deceive the public.
In light of these escalating threats, industry experts are stressing that it is no longer a question of if a firm will be targeted, but rather how effectively it will respond. Waszak emphasised the importance of robust and regularly rehearsed incident response plans. These plans should clearly name key decision-makers, insurers, forensic providers, external legal counsel, and public relations advisers. Crucially, these plans should not be static documents but should be tested through tabletop exercises to ensure preparedness.
Beyond technical controls, fostering a culture where staff feel secure in promptly admitting mistakes is paramount. Waszak highlighted that anyone can inadvertently make an error that opens a vulnerability, but the true danger arises when employees remain silent, allowing threat actors to remain undetected on systems for extended periods.