Cybersecurity for law firms is a growing concern in 2021. Working with sensitive and confidential information is at the core of most legal services. In today’s age information is power. The volume and type of sensitive information law firms are entrusted with makes them an attractive target for cybercriminals.
So attractive in fact that the American Bar Association’s 2019 Legal Technology Survey cites 26% of responders reporting that their law firms have experienced some sort of a security breach.
The more worrying statistic shows: 19% reported that they do not know whether their firm has ever experienced a security breach!
If you’re not looking for a breach, you’ll never know you have one until it’s too late.
Legal Practice Threats, Examples and Best Practices
The vulnerability of law firms to cyberattacks is heightened not only with the confidential client data that is lucrative to attackers but also with the increase in the digitization and use of technology in firms of all sizes.
With more of the business and data collecting and storing being done online, the greater are the chances of your law firm being a victim of a cyber attack.
Additionally, law firms are increasingly turning to working remotely with many law firms around the world already operating on a fully or partially remote basis.
Accessing law firms’ networks and information systems from personal, often insecure devices and the challenges of enforcing strong security policies in such an environment can open up even more entry points for malicious attackers.
Cybersecurity threats are rampant in all industries and come at a time of new and tightened data protection and breach notification regulations and laws.
Now not only would a data breach or a security incident lead to loss of reputation for law firms, but it also brings with it monetary losses in cases of negligence and failure to comply with regulations.
While there has been notable progress in creating and adhering to security programs and procedures, law firms still have a long way to go in order to protect themselves and their clients from cybercriminals. In the current cyber threat landscape, it is no longer viable for law firms to wonder if they will be a victim of a cyber attack but when, and prepare accordingly.
Common Cybersecurity Threats to Law Firms and How to Protect Against Them
The first step should always be recognition of cybersecurity threats to law firms and their consequences. Furthermore, law firms should consider the needed security practices and implementation of security programs and policies to stop those threats before they result in an attack.
Here we have gathered the 3 most common cybersecurity threats to law firms that will continue ravaging the legal sector in 2021 and simple and actionable prevention methods that you can implement:
Ransomware Threats To Legal Practices
Ransomware is one of the most devastating types of cybercrime out there.
Being denied access to systems and personal files and having them held under ransom by a cybercriminal is not a scenario in which you want your law firm to be in. In 2020 alone, ransomware was one of the most popular cyberattack techniques cybercriminals used to target law firms.
A typical ransomware attack usually starts with a phishing email mimicking a trusted and legitimate source and is sent to individuals in the law firm. The email would contain malware that is delivered to a victim’s device through clicking on an attachment or a link in the email. Once malware is on the victim’s device, it can access the entire firm’s network and perform further activity needed to encrypt the entire network and render it unusable. That is if the law firm doesn’t pay the ransom.
There are of course the options of reverting a backup of the network or using available decryptors, but that is not always a possibility nor the best solution.
We can turn to the DLA Piper LLP ransomware attack for some clues on how devastating these attacks can be to law firms.
In 2017, DLA Piper was hit with a ransomware attack that infected hundreds of thousands of computers and encrypted all affected files, holding them under $300 worth of Bitcoin ransom to avoid deletion. While DLA Piper IT team acted fast in trying to stop the attack ravaging more of their systems, the firm has still been estimated to have lost hundreds of thousands, if not millions, of dollars.
How To Protect Your Law Firm From Ransomware
Ransomware attacks on law firms are known to shut down operations for days, weeks, and sometimes even months at a time until the perpetrators are caught or the ransom is paid. This results in large financial and operational losses.
The best defense against ransomware attacks for your law firm is ensuring that there is the right combination of people, processes, and technology. This would entail:
- Strong cybersecurity awareness and understanding of the threat and its tell-tale signs among employees and executives
- Implementing multi-factor authentication that will require everyone accessing the firm’s network to authenticate themselves further than with just a password
- A timely operating system, email, and software updates
- Backing up all data
In the case of suffering a ransomware attack, the last thing that you should do is pay the ransom — who can guarantee that cybercriminals will release the data or won’t attack again?
They are criminals after all. Working with a trusted IT cybersecurity company and law enforcement should be the first step once you discover an attack.
Who is that email coming from?
We mentioned phishing emails as a common method used by cybercriminals to gain access to law firms’ networks. And when we say common, we mean it: 100% of the top 10 law firms suffered at least one phishing attack last year according to the PWC ‘Law Firms’ Survey 2019’.
A common scenario of a phishing attack entails the use of a false email address that resembles closely a trusted and legitimate service, organization, or even a client to target employees of a law firm. There is often an attachment in those emails that is cleverly introduced as an e-contract, invoice, or anything that would further incite the receiver to click on it.
This can deliver malware to the victim’s device and act as a gate to the law firm’s entire network allowing attackers access to greater amounts of confidential data that they can further alter, steal or delete.
Another instance can include a link to a website that the recipient is directed to. The website can appear legitimate, often impersonating a website that is frequented by the employees of the law firm together with a login page that will require the victim to input their credentials and even their private information. Once that information is obtained, attackers can go ahead and use them to execute further attacks on the law firm’s network.
The best protection against phishing attacks is knowing what to look for:
- Some phishing emails have poor spelling and grammar and don’t feature the level of quality expected from a sender they are trying to impersonate
- In case of less targeted phishing emails, you would be addressed more commonly as a “valued customer” or similar, rather than by your name
- Double-check invoices and documents that relate to services and sources you are not aware of requesting, needing or ordering before clicking on them
- Be suspicious of the sender’s email address: while they will look almost identical to one that is legitimate, they can often hide a small typo. You can also check if the email address is in use by the sender they are impersonating
Furthermore, law firms can protect themselves from phishing by enforcing a password policy across the entire firm that will require everyone on the network to use complex passwords, not reuse passwords, periodically change passwords, and employ multi-factor authentication.
Internal Threats To Law Firm Cybersecurity
Outsiders and cybercriminals that lurk outside of your law firm’s network are one thing, but having insiders with malicious intent that already have access is a whole different level of danger. A staggering 96% of IT leaders in the legal sector say insider threats were a significant concern in 2020, according to Egress.
And insider threats don’t only count in disgruntled former employees, competitors, strategically placed insiders or just someone from the inside with malicious intent — one moment of carelessness from a staff member can lead to an unintentional data leak. The same report from Egress cites that 77% of responders think employees have put data at risk accidentally in the past 12 months.
Insider threats are particularly dangerous because they can go undetected for months or even years. When someone already has access to confidential information, it’s almost impossible to distinguish whether they are engaging with it maliciously. Additionally, an unsuspecting employee leaking data might not even realize that they are doing so until it’s too late.
Consider the following steps to reduce your law firm’s chances of being a victim to an insider threat:
- Limit and monitor access to sensitive data: Not every staff member needs access to every part of the system and data — they only need access to what they need to operate on the daily basis. Additionally, employ a solution that will allow monitoring of access to sensitive data to ensure no users are trying to access parts of the system or data they don’t have authorization for
- Security awareness: Just as with any type of cybersecurity threats, the first step towards prevention is awareness of their existence, prevalence and best practices. Use engaging staff training and have solutions or IT service providers that allow you to have a full understanding of your sensitive data, their location on the system and user access
- Multi-factor authentication: Another one for MFA — having users authenticate themselves further than with just a password with either an SMS code, security question or biometrics will add an additional layer of protection to all accounts on your network
Is Your Law Firm Vulnerable to Cybersecurity Threats?
Today, cybersecurity is imperative for any organization operating online. It rings even more true when it comes to law firms that are entrusted with such confidential data. Your clients deserve to have their confidential information protected. It wouldn’t be an understatement to say that today the future of your law firm can depend on how well you can fend against cybersecurity threats.
Understanding the different cybersecurity threats that pose a danger to your IT infrastructure and reputation and assessing your susceptibility to them can go a long way in informing the best security approach