As Threat Actors Use AI to Escalate Cyber Threats, How Can Law Firms Protect Themselves?

Travelers T logo
By Travelers
5 minutes
Last updated 19 February 2024
An office worker working at his desk using a computer to review data.; Office Manager Working On Computer At His Desk

In the past year, new developments in technology have ushered in transformative possibilities for how law firms operate. Specifically, more firms have begun using – and, in some cases, developing – generative artificial intelligence (AI) tools. The technology has the potential to reform law firms’ relationships with clients and employees, as well as their competitive landscape.

Just as there is potential for law firms to benefit from AI, cyber criminals can gain from it too. The cybersecurity industry has been alert to the possibility that AI will be used in the commission and automation of cyber attacks. What could this mean? James Doswell, Senior Cyber Risk Management Consultant at Travelers Europe, says an AI-driven attack could allow threat actors to unleash far more advanced and fast-acting malware on the organisations they target. While law firms might use AI themselves to manage, automate and analyse aspects of their security, there is still potential for this security mechanism to be trained by an attacker. As a result, law firms need the right protections against the cyber threats they face – and they must be able to implement them more quickly than before.

The risks are especially acute for law firms, which were appealing targets for cybercrime well before threat actors could harness AI in their attacks. According to research published last year by Cert-UK, the forerunner to the National Cyber Security Centre, 65% of law firms have been a victim of a cyber attack, yet 35% of firms don’t have a cyber mitigation plan in place.1 Research from Cyfor Secure Cyber Security found a concentration of cyber-attacks against large law firms, with 90% of the top-25 UK law firms experiencing a threat. Smaller firms are vulnerable too: often viewed as easier targets, they may lack the infrastructure to prevent and respond to a cyber attack, as well as the resources to recover from.2

That explains why 85% of the top 100 UK law firms cited that they were extremely or somewhat concerned that cyber threats will stop them from meeting and/or exceeding their firm’s ambitions, according to PwC’s Annual Law Firms’ Survey 2023.3

“We are seeing firms increase their security through the recruitment of dedicated cyber security teams, implementation of new systems, and purchase of cyber insurance, amongst other things,” said Sharon Glynn, director and underwriter in the Bond & Specialty department at Travelers Europe. “This is at a financial cost for law firms, but when you consider the costs of a successful attack – reputation, rehabilitation, business interruption, restoration, to name but a few – the spend starts to look more like an investment. The crucial part is to ensure that each part of the defence system covers people, systems and third-party suppliers. The increasing sophistication of threat actors means law firms simply cannot afford any gap in their defences.”

Improving safety with layered protections

It is nearly impossible to prevent a determined cyber attacker. However, just as a person can take steps to minimise their risk of a home burglary, a firm can take action to minimise the likelihood, and contain the scope of a cyber attack and subsequent damage it may cause. Security solutions all have pros and cons, so building up layers of protection in a well-planned structure can reduce risk – even from AI enhanced attacks.

An organisation’s cybersecurity protections will likely already include a combination of defences such as antivirus, MFA, to name but a few. Combined with up-to-date software and patching to remove vulnerabilities or enhance, the solutions chosen should complement each other to provide the depth of security necessary.

Proactive defence solutions, such as Endpoint Protection Platforms (EPP) in particular, can augment existing solutions to create exceptionally strong security architecture. They are used to prevent file-based malware attacks, detect threats, and can respond to security incidents as they happen. Some defences cope even if critical vulnerabilities are present that would normally provide an attacker full admin access to the system. These proactive solutions effectively lock down applications to only their authorised libraries on the computers being protected. This can provide exceptional protection against unknown threats such as zero day – or when there are very rapidly changing scenarios, such as a live attack.

As cyber risks evolve, human behaviour will need to evolve too – an elevation in staff awareness of phishing or fraud attempts is already taking place. Patching cycles will likely have to be carried out or secured differently – perhaps continually. Existing cyber protections will need to be reviewed on an ongoing basis to ensure they remain fit for purpose and deployed with no system left vulnerable. Employees will likely need additional education about the appropriate protections to use and how to apply them properly so they can make themselves harder targets. The firm may also have to review its cyber insurance protection and the steps it needs to take – both before an attack to limit risks, as well as in the immediate aftermath of a breach to access expert support quickly.

Anticipating the risks

Cyber risks are a moving target and will require continued vigilance from firms as threat actors employ increasingly sophisticated methods to target sensitive information. Even if AI-driven attacks haven’t yet materialised in law firms, it’s likely that attackers will eventually make use of this technology. AI has introduced both benefits and disadvantages when it comes to cyber risk, so it will challenge organisations to rethink their security and what checks they have in place.

As organisations weigh their threats, they must consider the business-critical information they hold, the risk to the business if that information is compromised, and their available resources to protect the business and recover following a cyber breach. Insurers can help clarify priorities. “Some security solutions suit certain circumstances better than others,” Doswell said. “I spend a significant part of my time helping clients assess their cyber threats and recommending appropriate protections. I also work closely with our underwriters to ensure we are keeping pace with the threat landscape. For our insureds, being proactive about cyber protections – understanding what works for the business, applying it correctly, and having additional safety mechanisms in place if something goes wrong will continue to be critical.”

How an Endpoint Protection Platform (EPP) can help

Malware remains a significant threat to businesses. According to the AV Test Institute, there are over one billion malware programs installed worldwide, with 560,000 new pieces detected each day. The reasons are plenty: Malware can penetrate a network due to poor security practices, outdated patching, legacy systems that don’t allow for newer protections, or simply because threat actors are developing more sophisticated threats. A business’ endpoint devices, such as servers, laptops, desktops, smartphones and tablets, are especially vulnerable. More than 80% of cyber attacks focus on endpoints, according to Cisco.

Cyber risks appear to have no limit since attackers constantly adapt, but firms can protect against the unknown threat by responding based on how malware works. Both EPP and EDR solutions work well, but in different ways. An EPP provides protection against both the unknown and known, whilst EDR focusses on detection and responding to incidents that have bypassed other security measures. If you follow nearly all malware attack paths, the progression relies on getting executable code onto a device and set to run. Antivirus, EDR, XDR and other security solutions allow a file to be written to disk, at which point they react to it, but a good EPP solution behaves differently. It is embedded in the ring 0 architectural layer of a system (see image) and can take full control of the input/output channel.

 Windows security is built around ring architecture – the hierarchical layers of privilege in a computer system.

Windows security is built around ring architecture – the hierarchical layers of privilege in a computer system.

From here, it controls the write (or block) of every file, checking each one to see if it is executable. Whenever the system detects a specific byte sequence attempting to be written, the ‘unknown’ executable file is blocked by the EPP software and the computer remains secure. It operates quickly and efficiently compared to traditional antivirus checks because it only has to check for the executable header bytes of the file being written. If the bytes that signify the file is executable are detected, the EPP blocks it from being written.

This can be especially helpful if a threat actor uses AI to take advantage of a gap in a firm’s patching cycle. Doswell says that for most businesses, the patching cycle is monthly – and even when it is carried out methodically, there is typically a cadence between the release of a patch and its implementation. This could average between one and three days for critical vulnerabilities, and up to 14 days for others. “This is currently considered by most to be ‘an acceptable risk,’” he said. “But what if AI speeds up and improves the efficacy of these attacks – or even automates them?” An EPP can provide an extra layer of protection at those weak points, even if an attacker has administrator access to the network. It can provide significant peace of mind when so many risks are unknown.

Sources
1 https://www.lawsociety.org.uk/topics/blogs/are-you-the-65-percent-or-the-35-per-cent-65-percent-of-law-firms-cyber-attack-victim#:~:text=But%20last%20year%2C%20Cert%2DUK,cyber%20mitigation%20plan%20in%20place.
2 https://cyforsecure.co.uk/cyber-attacks-against-law-firms-are-increasing-is-your-firm-secure/
3 https://www.pwc.co.uk/industries/legal-professional-business-support-services/law-firms-survey.html

The information provided is intended for use as a guideline and is not intended as, nor does it constitute, legal or professional advice.

Travelers does not warrant that adherence to, or compliance with, any recommendations, best practices, checklists, or guidelines will result in a particular outcome.

More insights & expertise

Can Firms Change Their Biggest Risks?

The legal profession has likely experienced more transformation in the past 20 years than it has in its history – and yet, it can also be remarkably consistent.

Senior female lawyer working at laptop and talking on cell phone

More insights & expertise

Staffing Law Firms: Is it Due for an Overhaul?

When PwC released its annual survey of the top 100 UK law firms earlier this year, the results pertaining to staffing stood out.

Young professionals having a discussion in a modern office. Two happy young businesspeople smiling while walking together in a hallway. Cheerful colleagues collaborating on a new project.

More insights & expertise

Measuring the True Cost of a Legal Client

As the legal sector adopts new ways of working and meeting client needs, it also faces new pressures when it comes to the perception of services it provides.

Two female coworkers look at a laptop in a business meeting in a modern office. They discuss something over papers and a laptop while one of them is pointing at the computer screen. Both are wearing glasses and pie charts are visible in the background.