Law Firms at a Crossroads: The New Paths to Safeguarding Data as Attacks Ramp Up
How do you protect your firm? The vast majority of cyber-related vulnerabilities can be traced to staff and third parties who accidentally or deliberately don't follow security protocols or are tricked into downloading malicious code.
September 04, 2018 at 08:00 AM
8 minute read
Given the volume, depth of detail and uniqueness of the data they hold, law firms have emerged as prime targets for criminal networks. This comes as no surprise to most legal professionals and law firms who recognize the threat and have taken various steps to strengthen their defenses.
For example, the 2017/2018 Kroll-Legal Week Cyber Report found that more general counsel are taking a larger management role around cybersecurity issues: 45 percent said their role has expanded in the area of planning, 40 percent monitoring, 37 percent reporting and 43 percent responding to a cyber incident. From another perspective, a survey of 200 U.S. law firms last October revealed that 41 percent were planning to increase spending on cybersecurity tools and services in the next 12 months.
Yet, despite greater attention and increased spending, significant data breaches at law firms of all sizes continue to make news. From our investigative experience and what we know from global law enforcement agencies, law firms are being targeted by mainly a few tiers of cyber criminals. They range from ultra-sophisticated, well-backed criminal enterprises after specific high-value data to thieves looking for the easy win at firms with lax security.
Equally troubling, breached law firm data is showing up on the dark web alongside data that was not stolen, but rather accidentally exposed by employees or third parties. In May 2018, Kroll performed an analysis of the deep and dark web, and for every law firm in our sample, we found company emails and passwords up for grabs, creating a clear risk for fraudulent credential reuse. The source in many cases: employees who used their company email addresses to sign up for third party services.
|
With the trust of clients at stake, law firms are at a cybersecurity crossroads
At the heart of every attorney-client relationship is the client's expectation that all forms of communications will be privileged and kept in strict confidence. In fact, the protections afforded by attorney-client privilege are why many clients primarily seek help from attorneys instead of potentially other professional advisors. The thought of client information breached, sold or otherwise divulged is the stuff of lawyers' (and their clients') nightmares.
Because current cybersecurity strategies are often coming up short, law firms should consider a more holistic approach, one that addresses data security from multiple directions but in an integrated way. Defensive measures continue to be a vital part of the security equation, but today, best practice also calls for sophisticated threat hunting, detection, investigation and response capabilities. This is the path to cyber resiliency, which enables you to more quickly and effectively neutralize harm caused by cyber criminals.
Cyber resiliency starts with a better understanding of the fundamentals: What do hackers want and why? How are they getting past existing defenses?
Cyber criminals are among the most inventive and motivated people on the planet when it comes to monetizing data. The data held by law firms is particularly valuable because it can be leveraged in a multitude of ways—e.g., facilitating insider trading, setting up sophisticated counterfeiting operations, getting to government patent/trade offices or to market first by stealing intellectual property, running blackmail schemes or exercising personal vendettas that ruin reputations. Of course, there is always the irresistible appeal of stealing the identities of wealthy or well-connected clients for financial or other personal gain.
Data losses at law firms can often be traced to one of three primary attack vectors:
- Phishing/Spearfishing/Business Email Compromise. This is currently the most common method of attack. On average, 12-30 percent of people click on phishing messages.
- Three main delivery methods account for the majority of ransomware infections: a user visits a compromised website that hides malicious code; a user opens a malicious email attachment; or a user clicks on a malicious link within an email message.
- Distributed Denial-of-Service (DDoS) Attacks. By overloading a firm's servers, criminals severely disrupt the firm's ability to conduct business. However, DDOS attacks may also serve as a distraction to conduct a more sophisticated attack.
People, Processes, Technology: Three pillars of cyber resiliency
In our experience, organizations are best positioned to mitigate data-related threats if they take a multidimensional approach to cybersecurity. Whether you are a GC involved in managing cyber risk for your firm or a law firm of any size or clientele, the same principles apply: Integrate strategies that address people, processes and technology and you will be in a stronger position to protect your data, ultimately safeguarding your reputation and vital client relationships.
The vast majority of cyber-related vulnerabilities can be traced to staff and third parties who accidentally or deliberately don't follow security protocols or are tricked into downloading malicious code.
- Executive leadership and managing partners must set the tone at the top that information security is everyone's responsibility.
- Make employees and third parties your first line of defense by delivering ongoing security awareness campaigns and training, and then testing that training. Periodically remind users of basic best practices that include using company email accounts strictly for internal and client communications and carefully examining all incoming emails before clicking on any link or attachment. Also, employees should know how to raise an alert if they accidentally click on or open something suspicious.
Many organizations, including law firms, are finding great value in having a Chief Information Security Officer (CISO) on their executive team. This expert has the specialized technical knowledge and corporate governance experience to help organizations develop risk-based strategies appropriate for their needs. Engaging a virtual CISO on an interim or longer-term basis can be a good option for smaller firms or those in the midst of conducting an executive search.
Several resources exist to help law firms create and implement policies and processes that promote information security, such as best practices outlined in SOC 2, ISO 27001, the NIST Cybersecurity Framework or CIS Controls.
At a minimum, law firms should have policies that address acceptable uses of corporate IT resources, data classification and “principle of least privilege”, mobile resources and social media, to name a few. Staff as well as third parties should be required to comply with all policies.
Additionally, law firms should strongly consider using restricted client portals that encrypt documents and messages to promote greater security. According to the American Bar Association TechReport 2017, many law firms aren't using encryption for emails to clients, leaving the door open for hijacked communications, spoofed emails, etc.
Given enough time and resources, a cyber criminal will eventually find a way into your law firm's systems. Therefore, a more effective technology trend has been to deploy endpoint threat monitoring solutions, the most sophisticated of which reduce the burden of dealing with false positives and enable quick containment and remediation efforts.
Investing in a dark web monitoring solution can also alert you of potential threats that can originate from outside your network. For example, Kroll recently found several highly sensitive and attorney-client privileged documents belonging to one of our clients, a Fortune 100 global financial services company, exposed on the dark web. The source: a paralegal for one of our client's outside law firms who was inadvertently disclosing this content while accessing free music and movies on P2P networks.
Clients need to know that their attorneys are protecting the sensitive information entrusted to them, and law firms need to take steps that signal their commitment to modern data security. By adopting more effective cybersecurity measures, law firms can help keep criminals at bay, preserve the trust of clients and stand out as a provider of choice in today's highly competitive legal and professional services market.
Brian Lapidus is Practice Leader of the Identity Theft & Breach Notification (ITBN) based in Kroll's Nashville office. Brian helps clients and their advisors, including boards of directors, legal counsel and insurance providers, resolve the myriad complex issues resulting from a data breach. Keith Wojcieszek is an Associate Managing Director in Kroll's Cyber Risk practice, based in Washington, D.C. Keith joined Kroll from the United States Secret Service, where he served with distinction for 15 years.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Recent Decisions Regarding the Telephone Consumer Protection Act
- 2The Tech Built by Law Firms in 2024
- 3Distressed M&A: Mass Torts, Bankruptcy and Furthering the Search for Consensus: Another Purdue Decision
- 4For Safer Traffic Stops, Replace Paper Documents With ‘Contactless’ Tech
- 5As Second Trump Administration Approaches, Businesses Brace for Sweeping Changes to Immigration Policy
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250