This week: Why do you rob IT providers / SaaS services / legal firms? Because that’s where the data / money / reputations are.


3 – Why do you rob IT providers? Because that’s where the client data is!

“The multibillion-dollar technology services firm CDW said it is investigating claims made by a ransomware gang that data was stolen during a cyberattack.”

This is according to The Record, which reports that the Lockbit ransomware gang has threatened to publish the stolen data unless CDW pays its ransom demand of $80 million. According to CDW, this is “an isolated IT security matter associated with data on a few servers dedicated solely to the internal support [of one of their subsidiaries]”.

So what? Apparently, when the American bank robber Willie Sutton was asked by a reporter ‘Why do you rob banks?, he answered “because that’s where the money is”. Why do cyber attackers target IT providers? Because that’s where the client data is.


2 – Why do you rob SaaS services? Because that’s where the client data is!

In about 30 seconds, a user could enable an attacker to delete every document, spreadsheet and folder saved in your organisation’s Google Drive (or Microsoft OneDrive or Dropbox or…).

This is according to a 2-minute “SaaS Security On Tap” video, and recently mentioned on The Hacker News. 30 seconds is not an exaggeration. I recently helped a client clean up the mess after an attacker gained access to their CEO’s Microsoft 365 account using this technique. The client and their IT guy had spent days trying but failing to get the attacker out – Resetting passwords and logging out of all sessions made no difference, and their use of Multi-Factor Authentication didn’t help either. I showed them that they were looking in the wrong places, because the attacker was getting in through a different doorway. Once we shut that door, the attacker was out and the client was able to start the slow process of communicating with clients and recovering their reputation.

So what? If you have not restricted or blocked “application consent” (the term used on Microsoft 365) or “OAuth consent” (the term used on Google Workspace), this doorway is wide open in your environment too. (WARNING: Sales pitch ahead: If you are unsure about the locks on your Microsoft 365 doors, I can help.)


1 – Why do you rob legal firms? Because that’s where the client data /significant funds / reputations are!

Out of 40 law firms surveyed, 30 reported that they had been the target of a cyber attack. And the remaining 10 firms reported that their clients had been directly targeted during the course of their legal engagement.

This is according to the UK’s National Cyber Security Centre (NCSC)’s “Cyber Threat Report: UK Legal Sector” report, which they also recently mentioned on LinkedIn. Why do attackers rob law firms? According to the report, it’s because that’s where the “highly sensitive client information”, “significant funds”, and critically-important reputations are.

So what? The report highlights that “Many legal practices, especially smaller firms, chambers and individual practitioners, rely on an external IT services provider, making it challenging for them to assess for themselves whether the controls they have in place are appropriate to the risk they face.” (WARNING: Sales pitch ahead: If you face similar challenges, I can assess your security controls on your behalf. I engage with IT service providers on a daily basis to ensure my clients’ security measures are appropriate.)