cybersecurity

 

Picture this: you're a hacker on the hunt for sensitive data to use for nefarious means. Whether it's financial information or confidential disclosures, you're planning a digital heist for the ages. Now the question is, what's your easiest mark?

If you answered a law firm, you'd be right on the money.

For cybercriminals, law firms are a dream target: They offer a treasure trove of the most sensitive information while often implementing poor policies and technologies for cybersecurity and IT. It's no wonder then that legal firms are increasingly under attack by hackers.

Law firms are often involved in intimate transactions for their clients and deal with very sensitive data that goes beyond traditional personally identifiable information (PII), including highly confidential business and financial documents. Despite this, firms often lack thoroughness in their awareness of cybersecurity issues and overlook the various vulnerabilities. It usually takes just a single employee's account to compromise the entire system.

The key to cybersecurity for these firms, beyond technology, is to implement comprehensive policies for employees, especially in areas involving sensitive data. Regular risk assessments will also go a long way in laying the foundation for keeping hackers away.

The Password is the Weakest Link

Usage of passwords continues to be the Achilles heel of cybersecurity. Not only are the cracked password lookup tables growing into billions of data points, access to them has become cheap and easy for any hacker willing to pay a fee for it. This new phenomenon has become possible as hacking groups have realized that it is profitable to "rent out" their assets to others creating a sub-industry on the dark web.

The human element that exacerbates the problem the most that we heavily rely on reusing passwords across online services, work accounts and even social media accounts. The most popular modus operandum hackers use would be get obtain passwords from a less secure online "free" service and use them to access highly sensitive documents such as the ones lawyers and attorneys are privy to.

The Threat is Universal, Consequences Severe

A complacent attitude towards security has serious ramifications—massive damage to the reputation of the firm, possible penalties from government agencies, leaked data media investigations, and even lawsuits from clients.

A recent Law.com investigation found that more than 100 law firms have reported data breaches that compromised highly sensitive and confidential data. This may only be the tip of the iceberg as many breaches can go either undetected or unreported.

One such landmark breach was the 2015 exposure of 11.5 million documents belonging to the Panamanian law firm Mossack Fonseca. This explosive leak led to the disclosure of some of the world's wealthiest asset stashes, causing at least 150 inquiries or investigations in 79 countries. Two years later, the law firm shut down due to the economic and reputational damage it suffered.

Although the media eagerly reported on the scandalous data obtained from the leak, there is little information about how the breach actually happened. Over time, security experts have concluded that lack of basic web security practices on the part of Mossack Fonseca and their web administrators—including having out-of-date WordPress and Drupal content management software—made them easy prey to hackers.

Mossak Fonseca isn't the only example of a law firm suffering from a major security breach. According to third-party experts, more than 80% of the 100 largest U.S. firms have been hacked since 2011 and majority of them have increased their IT spends significantly

Among smaller law firms, there is a misplaced sense of security since they think they are too small or remote to be attacked. However, trends have revealed that hackers are indiscriminate; everyone is at risk.

Artificial Intelligence Worsens the Problem

Already, the use of artificial intelligence takes the effectiveness and scale of phishing attacks to a new level. Algorithms can now be used to "harvest" passwords at scale due to the high degree of personalization that makes phishing emails much harder to distinguish from legitimate ones.

In the near future, AI also as the potential to help hackers steal confidential data at scale through algorithmic social engineering. It is not inconceivable that this kind of technology combines with data obtained through social engineering to send a highly personalized believable email to a lawyer convincing them that the email is coming from their client and leading them to reveal confidential client information to the hacker.

How to Protect Your Firm from Cyber Attacks

There are some key steps law firms need to take to ensure they remain prepared for possible breaches.

First, they need to set aside a budget and dedicated personnel for cybersecurity. They need to establish solid data governance and a cybersecurity policy while assigning an executive member to drive this and perpetually keep systems and procedures up-to-date.

Firms must thoroughly protect employee access to systems; this includes contract and remote workers. Multifactor or biometric-based authentication is mandatory as all user entry points must be safely guarded.

Storing all data in an encryption format is crucial. Firms also need to vet all third-party vendors and partners for their data security practices.

Finally, law firms need to create processes for training, compliance monitoring, and active detection and response. They should develop an incident response plan as well as hire third-party experts to assess risks and conduct audits regularly.

There are plenty of resources that outline the recommended security measures. Law firms need to look into adopting all or parts of the guidelines of security standards such as the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS).

A cyber insurance policy can also provide coverage in the event of a breach. Even with all reasonable measures in place, a determined hacker may still find a backdoor into the system. Law firms often have the additional complexity of ensuring client safety in addition to their own cyber protection.

There is No Future Proofing

Cybersecurity is a perpetual game of staying current with the technology that criminals are using in their attempts to obtain sensitive data. As hackers get more sophisticated in their tools and techniques, law firms need to consider using advanced technology—such as AI and prediction models—as well.

Firms need to stay proactive to avoid breaches and make themselves as cyber-resilient as possible. You may think, "No one I work with would ever fall for a hacker's phishing emails," but you'd be surprised. Hackers are constantly optimizing their digital trickery, making it increasingly hard to detect a threat using only human judgment.

 

Aman Khanna is Co-Founder and VP of Products at ThumbSignIn, a strong authentication provider offering a suite of two-factor and biometric solutions. Khanna is a seasoned software product management professional with more than 20 years of experience in the consumer mobile and internet space, with specific expertise in cybersecurity.