When downtime is a problem and data theft is a nightmare, you simply cannot afford to be struck by ransomware.
Law firms are uniquely under threat. Sitting at an intersection where privacy and discretion are strictly required, but tech recommendations tend to lag behind, keeping up and protecting client data without driving yourselves insane is uniquely difficult.
In 2024, according to the FBI, ransomware cost businesses approximately 16.6 billion dollars in losses. This includes computer costs and employee downtime, because employees almost certainly cannot work while their systems are down.
So – ransomware is really bad, and it costs a lot of money both in recovery and in downtime. How is it getting in?
Poor IT Protocols
Cybercriminals have identified law firms (and a handful of other small businesses) as uniquely exploitable because of a few key factors, the first and most pressing of which is weak passwords.
Weak passwords are passwords that are insufficiently long or complicated, and can be cracked in a relatively short amount of time by a relatively underpowered computer. The ideal password is long, doesn’t use a lot of dictionary words, and has a mix of every letter case, symbols, and numbers to make it as random as possible, without becoming too random to remember. However, it doesn’t have to be memorable as long as a password manager with sufficient encryption, like Bitwarden, is on the device – this makes it possible to have the fully randomized 32-character password that every IT company dreams of for every password that person uses.
Those people using weak passwords are setting themselves up for disaster! Major law firms in the last decade have lost millions of people’s worth of private data, simply because of weak passwords and poor employee IT training (https://wovenlegal.com/protect-your-law-firm-from-threats-2025/). The two work in tandem: when an employee is not fully aware of the risk it poses to have a weak password, they don’t really care to make a strong one, because strong ones are harder to remember. But it’s devastating! It’s made worse by how extremely avoidable it is. This is not some genius with a quantum computer banging away at a keyboard in a remote location with a country’s resources behind them, this is an opportunistic person sitting in their basement with their decently powerful gaming PC running a dictionary attack program until something clicks. We are now at the point where a single-case password without any numbers or special characters in it can be cracked in a matter of seconds.
Shared and Unprotected
Even worse, 2FA (or two-factor authentication), can shore up this weakness, but law firms are not making it mandatory because password sharing is also a huge problem! Unofficial policies make enforcing the necessary ones basically impossible.
Sharing passwords makes things convenient for a little while – it at least saves having to set up a shared drive properly, which can admittedly be a little daunting. But, the trade is that this single account becomes a goldmine for hackers, and someone doing something like writing down the password onto a sticky note somewhere, or leaving their laptop logged in and accidentally forgetting it at a coffee shop somewhere, or accessing a compromised WiFi network, or, or, or… the things that can possibly compromise an account are now multiplying in number because too many people have access to one account. And because so much is loaded into that account, once it goes down, the firm’s in a nightmare. Setting up a shared drive properly and enforcing a solid password policy can save a LOT of pain down the road.
Backups and Programs
Past weak employee protocols, outdated programs are also a common pain point. Law firms are often stuck between a rock and a hard place where programs are either: on a subscription and steadily losing stability to updates on older systems; or abandoned altogether, leaving the practice to troubleshoot each new break brought on by the OS updating on new systems, because the alternative is letting the built-in antivirus get so far behind it becomes useless. Either the computer or the program seems to want to pitch a fit no matter what! And while this is also understandable (a lot of money was spent on it, and it will take a lot more money to replace it and train employees on it) it’s the kind of thing that leaves holes.
Unfortunately, thieves and cyber criminals know this. Bespoke programs that don’t cooperate nicely with Windows updates are actually all over the place, and maintaining robust protection in spite of it is a full-time job. It’s why universities, which also often use bespoke software for things like their enrollment system or library search system, are also common targets. Software that has been abandoned or is otherwise so finicky it’s a pain to update around it create holes in security, and a skilled-enough hacker or group of hackers who found it in one system will try to exploit it in others.
Phishing Nightmare
Poor training when it comes to common scams can also trip up firms and render them vulnerable where they otherwise wouldn’t be. A fully updated, fully protected, etc. system doesn’t have a lot of holes. That’s why scammers also love social engineering. If they can successfully convince an employee to do something as simple as click a bad link, they might be able to get in before the built-in Windows antivirus can stop them. It’s even better if they can get them to download a malicious file directly! Training can generally stop phishing attempts from succeeding. Simply encouraging employees to check what kind of file they’re about to download, or hover over a link to make sure it’s not leading them somewhere with an automatic download, can prevent one of the easiest scammer tricks in the book from getting a virus onto your devices. Asking them to double-check the URL, or go directly to a website’s page to log in rather than getting there off of a link can prevent their login credentials from getting stolen.
There are also plenty of programs, including Outlook itself, that can set email rules and pull potentially malicious ones before the employee can even make the mistake in the first place. A program like Ironscales will warn a recipient that this is the first time they’ve received an email from a given address, for instance, which may give them the pause they need to make sure they aren’t getting phished. Outlook can set white- and black-list rules, allowing granular control and the ability to ban known problematic addresses.
Recovery
Many law firms also lack a solid recovery plan – if something bad happens, does your firm know how long ago the last backup was? Is there a plan to actually wipe the devices all at once and fully refresh the system, so a lingering infected computer cannot just re-infect the network once it’s back online? Do the employees know what to do to prevent a full system-wide infection in the first place?
Ransomware is such a problem for law firms because of that tendency to play it fast and loose with accounts and data storage as mentioned above. A good backup is a good start, but it’s not the whole picture. Some firms don’t even have that much, and it leaves them in the incredibly painful position of having to either pay the ransomware scammers what they want, which can be basically any number, or go into a hard shutdown and pay experts to try and fix it. While theoretically, that second one is possible, it’s going to cost a lot of money both in expert fees and downtime. Ransomware hackers have also learned in recent years that they can force people to pay up by enforcing a deadline after which they’ll either destroy or release sensitive data, and it’s always less time than undoing it takes. This is also why just having a backup and thinking that’s enough, just isn’t enough! Preventing the ransomware from getting on devices and stealing sensitive data is priority number one!
What Do We Do?
Many of these problems stem from a lack of resources. Smaller firms are often run like family businesses, but in today’s age where computers are mandatory and accounting standards seem to change every year, expecting the head of the business to know all of this on top of law and typical small business problems is outrageous. But, a fully fledged IT expert may cost more than a small business can afford. There is a compromise! We’re Elixis Technology, an MSP (Managed Service Provider) that provides full-stack protection and a fully fledged IT department without the fully-fledged IT department costs. We’re located locally in Vegas, meaning we’re on Vegas time, and can show up physically to an office to fix problems, or deal with them remotely. We work off of a monthly fee that is all-inclusive of break-fix tickets (with some exceptions like emergencies), onboarding, and policy setup, based off of the number of employees in the business and their licensing needs. It can be custom-fit to you and your proprietary software needs, too.
If this sounds interesting, get in touch with us here: https://elixistechnology.com/contact/
We’d love to talk to you!
