Commercial law firms are one of the most lucrative and information-rich targets a hacker could have and most of them have never had a CISO nor used CISO as a Service to protect them. They are the object of attack by foreign governments (when the details of a deal are of interest to one or more international players), organized crime, hackers-for-hire by competitors and sometimes even by the parties in a particular deal who want access to all the information they can get their hands on. If you want to protect your law firm from hackers, here is what you need to do:
According to the American Bar Association’s 2018 Cybersecurity Report, 42% of law firms between 50-99 employees experienced a breach – in our experience that number is much higher when taking into account that most breaches go unnoticed.
In the corporate M&A deals a law firm handles, any confidential information exchanges between the participants in the deal and their lawyers should remain confidential. Sometimes even if the existence of such a deal gets to the wrong people before time is right, the deal might fail and the potential damage could be worth millions.
This invites all kind of players – from law enforcement to commercial espionage and they all use the same techniques to get to the information – primarily by hacking into partner/associate/paralegal email accounts. Once in a possession of a username/password combination, the hacker can then use those to access your document management system / filing system along with all emails in that mailbox and extract all the information they need.
This opens up opportunities for extortion by hackers, insider trading and just selling the information to the highest bidder Protecting your law firm from that is giving you an advantage over others who don’t.
Another case we’ve seen a lot is when a law firm gets hacked, their financial deals become known to the hackers – who gets billed and when, what wording to use in invoices, what invoicing software is in use – all that information is then utilized to defraud the law firm or its clients.
All the hacker needs to do next is send a fake invoice to a large client, with a “new” bank account. The clients send the payment, the criminals collect and launder it and disappear.
Meanwhile, the law firm is missing a legitimate payment which should have happened to their old bank account… they call their client, asking for the payment – only to find out ‘it was already sent a month ago’. What follows is a lengthy investigation to find out what happened and who was at fault.
The law firm’s client now thinks they might have acted in bad faith, as he now has to send money twice – and even if the money is recovered by swift intervention with banks and law enforcement, usually the trust between the parties involved is lost (sometimes, forever).
Now, another problem comes up: the law firms’ client asks themselves: if the law firm got hacked and sent us a fake invoice… did the hackers access all our confidential documents stored at that firm???
That is the biggest loss your law firm could have in a hacking incident – if your client realizes that due to a lack of cybersecurity measures at your firm, their most confidential data is now in the hands of criminals who might use it in a thousand different ways.
According to American Bar Association, hacking incidents in law firms are reported at a steep 18-20% increase year-over-year since 2014 and until today. According to the British SRA (Solicitors Regulation Authority), up to 60% of all law firms in the UK have been hacked.
If we think of the reasons, the primary one would be lack of knowledge in defense against advanced cyber adversaries in the law firms IT department – IT is tasked with keeping things running and are usually pretty busy with that task alone. They simply don’t have time to even learn of all the possible ways they can get attacked, let alone figure out ways to protect from these attacks. It is not their job – and we agree.
The ease with which a law firm mailbox can get hacked is astonishing. It can take as little as 5 minutes from start to end of the attack to gain unauthorized access to a random e-mail of a firm… and on average, such a hack is not discovered for a year after it happens.
Responsibility to protect client data
ABA’s ethics rules define that it is the attorney’s duty to safeguard the information of their clients, along with regulatory and contractual obligations. The number of law firms receiving requests to confirm they maintain a reasonable security program is increasing. The IT outsourcing firms usually used to keep things running rarely have the cybersecurity training and expertise to provide adequate protection and often resort to just installing an antivirus and a firewall – measures which are completely inadequate to modern attackers and threats.
Things to protect:
- E-mail communication. The easiest target for a hacker in a law firm is an unprotected e-mail account. This happens when users choose simple password for their domain (and email) accounts and expose all the data they operate with to anyone who can guess or steal their credentials.
- Instant messaging communication. Hacking an attorney’s phone and instant messaging chats should be impossible if you follow each app’s security documentation. Criminals know that you exchange valuable and critically confidential information there and know how to get unauthorized access.
- Document management and filing systems. How does one get access to your most sensitive documents? Only by knowing someone’s username and password? That is not enough.
- Desktops. Only in the movies hackers hack through “firewalls” and “defenses” – in the real world their objective is to hack someone’s computer first, usually by sending a malicious document or attachment capable to bypass antivirus systems (trivial).
- Cloud storage and computing systems. Any data you store and process in the cloud is stored and processed on someone else’s computer. How you gain access to that cloud storage and how you manage this access determines if unauthorized people can do it easily or not.
Mandatory protection measures
Objective Number 1 in preventing hacking attacks at law firms is to prevent hacking the firms e-mails. That objective can be achieved by following a few relatively simple steps:
- Implement 2-factor authentication. But that does not mean it cannot be bypassed – don’t be fooled, there are many ways to bypass 2-factor authentication, so look for the vendors/solutions which offer the most protection against a bypass. We know these solutions, ask us!
- Train everyone at the firm: from the managing partner to the associates and paralegals, how to spot ‘phishing’, that is, fraudulent e-mails and documents which might lead to compromising their username and password. Security Awareness Training is crucial.
- Make sure nobody has Administrative rights on their computer. This happens too often and is the reason for too many successful hacks to ignore. The only person having administrative rights on your firms computers should be your IT administrator.
- Run a comprehensive security assessment at your firm. It should avoid conflicts of interest with the IT department, meaning the person authorizing the assessment should have higher authority at the firm than the CTO/IT director. Remember: IT will not look good if too many security lapses are discovered. the objective of the security assessor is to find anything a hacker could use and report it so it could be fixed. The security auditor on the other hand should put no blame at the IT department – rather suggest recommendations and the way to achieve them.
- Perform an Information Security Assessment!
- Contact us and let’s have a discussion how our experts can boost the defenses at your firm!