It's Time for Law Firms to Think Again About Their Cybersecurity Strategy
One employee falling for a phishing email can compromise a firm's entire database. Will your client information be protected if that were to happen?
February 11, 2020 at 07:00 AM
7 minute read
Picture this: you're a hacker on the hunt for sensitive data to use for nefarious means. Whether it's financial information or confidential disclosures, you're planning a digital heist for the ages. Now the question is, what's your easiest mark?
If you answered a law firm, you'd be right on the money.
For cybercriminals, law firms are a dream target: They offer a treasure trove of the most sensitive information while often implementing poor policies and technologies for cybersecurity and IT. It's no wonder then that legal firms are increasingly under attack by hackers.
Law firms are often involved in intimate transactions for their clients and deal with very sensitive data that goes beyond traditional personally identifiable information (PII), including highly confidential business and financial documents. Despite this, firms often lack thoroughness in their awareness of cybersecurity issues and overlook the various vulnerabilities. It usually takes just a single employee's account to compromise the entire system.
The key to cybersecurity for these firms, beyond technology, is to implement comprehensive policies for employees, especially in areas involving sensitive data. Regular risk assessments will also go a long way in laying the foundation for keeping hackers away.
|The Password is the Weakest Link
Usage of passwords continues to be the Achilles heel of cybersecurity. Not only are the cracked password lookup tables growing into billions of data points, access to them has become cheap and easy for any hacker willing to pay a fee for it. This new phenomenon has become possible as hacking groups have realized that it is profitable to "rent out" their assets to others creating a sub-industry on the dark web.
The human element that exacerbates the problem the most that we heavily rely on reusing passwords across online services, work accounts and even social media accounts. The most popular modus operandum hackers use would be get obtain passwords from a less secure online "free" service and use them to access highly sensitive documents such as the ones lawyers and attorneys are privy to.
|The Threat is Universal, Consequences Severe
A complacent attitude towards security has serious ramifications—massive damage to the reputation of the firm, possible penalties from government agencies, leaked data media investigations, and even lawsuits from clients.
A recent Law.com investigation found that more than 100 law firms have reported data breaches that compromised highly sensitive and confidential data. This may only be the tip of the iceberg as many breaches can go either undetected or unreported.
One such landmark breach was the 2015 exposure of 11.5 million documents belonging to the Panamanian law firm Mossack Fonseca. This explosive leak led to the disclosure of some of the world's wealthiest asset stashes, causing at least 150 inquiries or investigations in 79 countries. Two years later, the law firm shut down due to the economic and reputational damage it suffered.
Although the media eagerly reported on the scandalous data obtained from the leak, there is little information about how the breach actually happened. Over time, security experts have concluded that lack of basic web security practices on the part of Mossack Fonseca and their web administrators—including having out-of-date WordPress and Drupal content management software—made them easy prey to hackers.
Mossak Fonseca isn't the only example of a law firm suffering from a major security breach. According to third-party experts, more than 80% of the 100 largest U.S. firms have been hacked since 2011 and majority of them have increased their IT spends significantly
Among smaller law firms, there is a misplaced sense of security since they think they are too small or remote to be attacked. However, trends have revealed that hackers are indiscriminate; everyone is at risk.
|Artificial Intelligence Worsens the Problem
Already, the use of artificial intelligence takes the effectiveness and scale of phishing attacks to a new level. Algorithms can now be used to "harvest" passwords at scale due to the high degree of personalization that makes phishing emails much harder to distinguish from legitimate ones.
In the near future, AI also as the potential to help hackers steal confidential data at scale through algorithmic social engineering. It is not inconceivable that this kind of technology combines with data obtained through social engineering to send a highly personalized believable email to a lawyer convincing them that the email is coming from their client and leading them to reveal confidential client information to the hacker.
|How to Protect Your Firm from Cyber Attacks
There are some key steps law firms need to take to ensure they remain prepared for possible breaches.
First, they need to set aside a budget and dedicated personnel for cybersecurity. They need to establish solid data governance and a cybersecurity policy while assigning an executive member to drive this and perpetually keep systems and procedures up-to-date.
Firms must thoroughly protect employee access to systems; this includes contract and remote workers. Multifactor or biometric-based authentication is mandatory as all user entry points must be safely guarded.
Storing all data in an encryption format is crucial. Firms also need to vet all third-party vendors and partners for their data security practices.
Finally, law firms need to create processes for training, compliance monitoring, and active detection and response. They should develop an incident response plan as well as hire third-party experts to assess risks and conduct audits regularly.
There are plenty of resources that outline the recommended security measures. Law firms need to look into adopting all or parts of the guidelines of security standards such as the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS).
A cyber insurance policy can also provide coverage in the event of a breach. Even with all reasonable measures in place, a determined hacker may still find a backdoor into the system. Law firms often have the additional complexity of ensuring client safety in addition to their own cyber protection.
|There is No Future Proofing
Cybersecurity is a perpetual game of staying current with the technology that criminals are using in their attempts to obtain sensitive data. As hackers get more sophisticated in their tools and techniques, law firms need to consider using advanced technology—such as AI and prediction models—as well.
Firms need to stay proactive to avoid breaches and make themselves as cyber-resilient as possible. You may think, "No one I work with would ever fall for a hacker's phishing emails," but you'd be surprised. Hackers are constantly optimizing their digital trickery, making it increasingly hard to detect a threat using only human judgment.
Aman Khanna is Co-Founder and VP of Products at ThumbSignIn, a strong authentication provider offering a suite of two-factor and biometric solutions. Khanna is a seasoned software product management professional with more than 20 years of experience in the consumer mobile and internet space, with specific expertise in cybersecurity.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
