Cybersecurity is evolving. This is more than just a technology issue or an added clause in the retainer agreement—it’s the biggest risk that law firms face in 2017. Cravath, Swaine & Moore and Weil Gotshal & Manges, two of the largest firms in the United States, got caught in a major cybersecurity breach later linked to a $4 million-plus insider-trading scheme. Other law firms that were hacked in the past five years include Panama-based law firm Mossack Fonseca, NYC law firm Cravath, Swaine & Moore and Weil Gotshal & Manges and Wiley Rein, one of the largest law firms in Washington, D.C. Today, cyber risk is just a part of doing business for law firms – big ones and large ones.
Law firms are an easy target for hackers, and hackers seek ways to monetize their break-ins. They use ransomware to steal data and use blackmail blocking access to the firm’s computer system until the ransom is paid. Another strategy is to threaten the publication of embarrassing information. And if law firms don’t comply with the demand, they risk losing confidential data permanently. Here are three top reasons why cybercriminals target law firms.
The threat to law firms is real. “In the spring of 2016, more than 40 of America’s top law firms were targeted for information on global mergers and acquisitions in one single hacking event. As reported by DataBreaches.net, the American Bar Association confirmed that approximately 25% of all U.S. law firms with 100 or more lawyers had experienced a data breach in 2015. These incidents occurred in the form of website attacks and break-ins. Lost or stolen items, like computers or cell phones, also contributed to these statistics. During the same year, 15% of all law firms reported an unauthorized intrusion into the computer files of their practices. “
Law firms can make it difficult for hackers. All the technology in the world cannot protect a law firm. People are the weakest link in the cybersecurity chain, and employees need to be better trained at spotting things like a phishing email. Law firms can fight back by keeping backups disconnected from the internet and network. This way, they can’t be hit by malware. Patches need to be installed to fix holes in security and updates to the software should be done on a regular basis. This will prevent leaving the door open and letting cybercriminals in. Archives, unidentifiable users, and executable files should be blocked. And if using cloud storage, the law firm should control the encryption key itself. The cybersecurity program should always meet the needs of all clients. There should be effective restrictions on all mobile devices. If a breach should occur, systems need to be set to capture log data. Law firms should also share threat information about vulnerabilities with others.
Awareness is key.
Law firms face the same most common attacks as other types of companies and organizations. Here’s a list of the most common five:
Both strong end-user education and updated anti-malware are very effective to fight socially engineered malware. Anti-spam vendors should be used to have clean inboxes. Up to 70 percent of email is spam. Unpatched programs like Adobe Reader should be perfectly patched to decrease the risk of an attack. Rogue friends and bad applications are often seen on social media sites like Twitter, Facebook, and LinkedIn. Many of the worst hacks actually start on social media. Law firms need to make sure that employees do not share corporate passwords and use sophisticated logins to ward off hackers who disguise themselves as friends. The most common method for an advanced persistent thread is to send a specific phishing campaign. It’s easy to trick employees with this strategy. Preventing this type of attack is tough, but law firms need to understand their own network traffic patterns to catch it.
It’s important that law firms ensure its defenses are aligned with the most common attacks. If you’d like to learn more about how to protect your law firms against cyber attack, contact Tektonic in The Greater Toronto Area at (416) 256-9928 or email at firstname.lastname@example.org.