Relative to the sensitivity of the data that they protect, law firms have some of the laxest information security that you can find.
Over 100 law firms have reported data breaches since 2014, and the problem is accelerating. This is because attackers have learned that they can get more value out of legal information than a simple list of credit cards or passwords. For example, attackers have been known to attack M&A firms in order to get information on upcoming mergers and then conduct insider trading based on that information.
Because legal data is so valuable, the level of threat is so high, and relative defenses are so low, law firms need to scale their ability to defend themselves rapidly. Here are seven things they should be aware of.
If there’s no code involved, can you call it a hack? Business email compromise (BEC) involves hacking corporate processes instead of code. An attack may consist of an exact replica of a vendor invoice, a request for information from a longtime client, or a convincing email from your boss asking you to transfer money to a numbered account. In 2019, half of all monetary losses due to cybercrime – approximately $1.77 billion – was attributable to BEC.
According to the ABA, Microsoft Outlook counts as a practice management tool – and 57 percent of law firms use Outlook as their primary practice management tool. From a practical standpoint, what this means is that all of your most important documents may be stored as attachments in Outlook. This means that attackers only need to steal login credentials for Microsoft Outlook – usually via phishing -- in order to create a very serious breach.
It’s amazing, but we’ve covered the two most common causes of data breaches, and both are accomplished without injecting a single line of malicious code onto your system. With that said, malware designed to attack law firms is relatively common, and law-firms present an ample attack surface. A lot of malware will be dropped via phishing attacks, but aside from that, the main danger you have to look out for is…
Patch management can be a problem for any business: out of 11,092 vulnerabilities identified in the first half of 2019, 34 percent had not yet been patched by August. With law firms, the problem can be worse. With little funding for IT departments, routine maintenance tasks can remain undone for years. In the case of Mossack Fonseca – a textbook example of a law firm data breach – unpatched vulnerabilities in WordPress and Drupal made it startlingly easy for attackers to get away with the Panama Papers.
Given that its so easy for attackers to steal legal documents by grabbing Microsoft Outlook credentials, it would make sense for lawyers to choose an alternative communication method. If most phishing attacks come via email, and if you transfer data using something other than email, then it would make phishing attempts that much more difficult to fall for. Alternatives such as Managed File Transfer software make secure and encrypted communications easy.
Only 68 percent of law firms report using mandatory passwords, and only 24 percent use password management tools. These are dismal figures. Passwords are a defense against attackers, but they’re not a strong defense. The use of password management tools – alongside tools like multi-factor authentication – can greatly reinforce security. The fact that many law firms aren’t using these tools suggests that their passwords are easier to break, multiplying the risk from every other attack vector.
In the wake of multiple successful cyberattacks against law firms, the ABA Standing Committee on Ethics and Professional Responsibility has released Formal Opinion 483. This states that “lawyers must employ reasonable efforts to monitor the technology and office resources connected to the internet, external data sources, and external vendors providing services relating to data and the use of data.” If you do not take proactive steps to monitor and mitigate data breaches, your firm will find itself in trouble with the law’s most powerful governing body.
Here at Progress, we provide secure file transfer software that allows law firms to manage, send, and receive files without the risk of interception by bad actors. By centralizing, automating, and encrypting your file transfer mechanisms, you’ll be able to keep legal data secure when it’s both in motion and at rest. For more information on how we can help your firm protect both users and clients, check out our free demo today!
Writer on technology, information security, telecommunications, and more.
Let our experts teach you how to use Sitefinity's best-in-class features to deliver compelling digital experiences.
Learn MoreSubscribe to get all the news, info and tutorials you need to build better business apps and sites