In response to a spate of hackings, some law firms have made the decision to preemptively open Bitcoin wallets to pay their attackers. John Sweeney, president of IT and cyber security advisory company LogicForce claimed that accounts would be used to settle ransoms as a “last resort” and the measure should be part of a wider contingency plan.
For Sweeney, the decision is proactive rather than reactive. However, what exactly is proactive about waiting to get hacked and then paying a ransom is unclear. There aren’t even any guarantees that the criminals will release the breached data following settlement of demands. According to the cyber security expert himself, it has taken some firms months and multiple ransoms to even recover data from hackers. Even then, the data may already be compromised, rendering confidentiality agreements between clients and companies useless and potentially exposing sensitive details.
The latest security breach was announced earlier today. An offshore law firm catering to super-rich clients was hacked by a criminal group. Those served by Appleby in Bermuda will be awaiting the criminals’ next move which likely be either blackmail or straight up exposure. This highlights a major issue with law firms’ security which Sweeney says needs to be tackled. Data is often sent via unencrypted emails and thus risks being breached by any hacker savvy enough to get around the often-scant security procedures in place. Certain data obtained via such a practice is understandably extremely valuable to the parties concerned. Sweeney commented about the growing trend within the industry:
We are predicting there are going to be more sophisticated attempts to intrude at firms that work with highly visible clients whose IP or business information is extremely valuable.
Exacerbating the problem is the fact that cyber-criminals’ can often cover their own tracks impeccably. This makes it unlikely that they’ll be caught and for Sweeney, it represents a risk/reward proposition that’s “totally in the cyber criminals’ favour.”
However, the decision to announce that some firms will have a digital wallet loaded with funds to pay off hackers seems to do little else than paint a huge target on the law industry. Clearly, by having the money ready, the implication is that firms are willing to settle ransoms, leaving them further exposed. Sweeney does however urge firms to do more to enhance their security and eliminate potential online attack vectors. There are no shortage of funds within the law industry, so in reality, there is no excuse for not employing the most up-to-date encryption techniques for sensitive data, as well as suitable backup solutions. Prevention, as they say, is much better than cure.