Law firms are under attack.
Working in a world of confidentiality and discretion, attorneys deal with highly valuable and sought-after information. This year alone has already seen a number of law firms fall victim to high-profile cyber-attacks.
The American Lawyer reported on law firms in New York and Minnesota that were recently targeted by an email phishing scam called GozNym. The program infected users’ computers, allowing hackers access to banking login information. The criminals transferred over $117,000 before they were apprehended.
In January 2019, The American Lawyer also covered a story about a U.S. law firm being one of the victims in a string of advanced cyber-espionage attacks. The article cited a Recorded Futures cyber-threat analysis detailing an alleged attack by a Chinese government-sponsored group called APT10. The law firm, which specializes in intellectual property, was targeted by APT10. The group used remote access software to get into the firm’s networks, acquire user credentials, hack the law firm’s third-party software, and then leverage that information to gain access to the networks of hundreds of corporations around the world.
Nearly all law firms have one thing in common: they store valuable data, and cyber criminals know it. Smart firms are taking steps to minimize their risk.
Could you be a target?
A single legal office stores a wealth of potentially lucrative information such as confidential case files, trade secrets, corporate documents, and details about client finances. Sometimes lawyers or firms themselves are targets. Sometimes their clients are the targets. Either way, the data that is sought after by hackers, if released, could ruin a business and its reputation.
But the sensitive information itself isn’t the only reason law firms are common targets for cyber-attacks. The legal industry has other specific vulnerabilities:
- Many law firms have old or outdated systems that haven’t kept up with newer security measures.
- Law firms are especially vulnerable to phishing and email attacks because a vast majority of their information (sensitive or not) is sent through email. Hackers also use phishing and email attacks to gain access to other information a firm might be storing, which could leave hundreds of files unprotected.
- Many law firms use cloud-based storage systems, which can create an easy “in” for hackers if the firm doesn’t fully understand the setup and privacy settings.
- Law firms rarely put the time, effort and money into a proper IT department/person. This results in many law firm cybersecurity decisions being made by someone who is not an expert in the field.
Most attorneys find their work is based largely on reputation and on word of mouth, which leaves them in a vulnerable position if attacked. All U.S. states have some type of notification laws in the event of a data breach. Having to disclose the loss of client information or valuable trade secrets could destroy a firm’s reputation.
What should you do?
As an attorney, you are faced with an uphill battle when it comes to minimizing your risk against cybersecurity. The threats to your firm are constantly evolving, as are the best practices for keeping your data safe.
It can be overwhelming but there are immediate steps you can take to protect your firm. Start with:
- Implementing the National Institute of Standards Technology (NIST) guidelines for “strong” passwords.
- Creating a cybersecurity playbook for your law firm.
- Reviewing your data breach insurance policy. You may want to adjust coverage based on your exposure and your risk tolerance.
- Quantify your risk using a Cyber Liability Self-Assessment.
It is imperative for all lawyers and other business owners alike to remember: hackers only need to find one way in. They spend a great deal of time finding that one way, so make sure to protect your business from every possible angle.
