What is cyber security for law firms?
Definition: Just as any other company a law firm needs cybersecurity, but has some very specific requirements which are not present in other businesses. For example, most businesses don’t have filing systems or document management systems and law firms have higher confidentiality requirements when dealing with M&A deals or confidential infrastructure projects. On the other hand, law firms have the same infrastructure elements as other firms – email, a directory service such as Active Directory or Azure Active Directory, file sharing and collaboration, etc.
As cyber attacks increase worldwide, in order to protect their clients and themselves, law firms must realize they are a prime target for hackers and cyber thieves. Cyber attacks against law firms across the globe are increasing along with attacks against businesses and governments. Hackers seek to access confidential data, which could be anything from trade secrets to information about upcoming mergers or access to financial accounts and the funds they contain. Cybersecurity for law firms becomes mandatory.
[image source: NetDocuments]
Keeping your clients safe.
That’s one of the highest priorities for your firm, right?
For 99% of people, security is more important than anything else in their life and your clients must feel the same way about their data.
Our company does just that – we protect law firms so they could promise the same to their clients.
Protecting document management systems such as NetDocuments in the example above requires knowledge in several fields: cloud service security, Azure Active Directory security, endpoint security and email security and all of them have to be tied together and working in concert to prevent outages and keep the hackers out.
The time is past when law firms can push cyber security off to an IT manager and forget it. Law firms that do not prioritize cyber security take unforgiveable risks with their clients’ data and their own futures.
According to ABA Standing Comm. on Ethics & Professional Responsibility, Formal Op. 477 at 2 (May 11, 2017), law firms no longer have to wonder if they will be the victim of a cyber attack. The question today is when will your law firm be attacked and what will be the extent of the damage.
In March 2016, the FBI warned that hackers were targeting large international law firms in order to steal confidential client information for purposes of insider trading. But if you think only large firms are at risk, you would be mistaken.
Threats come from all directions today, and they range from disgruntled employees to foreign powers. In March 2019, FBI Director Christopher A. Wray said the foreign cyber threats facing the United States are “unlike anything we have had in our lifetimes,” and specifically mentioned increased threats from Russia, Iran, China and North Korea.
Your Firm Stands a Very Real Chance of Suffering a Serious Cyber Attack
Although the risks of cyber security are no doubt higher than have been reported, a starting point for understanding the risks is the annual ABA Legal Technology Survey Report. Lawyers who took the survey reported whether their firms have suffered a cyber breach.
The 2018 ABA report showed a correlation between firm size and level of threat, but that doesn’t mean smaller law firms are safe.
Looking at the UK, in 2017 alone, 60% of law firms reported an information security incident according to the National Cyber Security Centre. This is already a startling number, but even more so since it was a 20% increase over the previous year.
Now if these numbers do not seem big to you, think of it this way. If you were thinking of bungee jumping over the Grand Canyon and were told there was a 23% chance the cable would snap, would you go?
Law Firms Often Do Not Even KNOW When They Have Been Breached
Hackers could steal your data and your client’s data, and you might not even know it. This means the numbers you just read of reported breaches are much lower than the number of actual incidents. According to the 2018 ABA Legal Technology Survey Report, the larger the law firm, the more likely they are to say they “don’t know”.
And keep this in mind: law firms stand nothing to gain and a lot to lose when they publicize a cyber breach. After all, companies and individuals entrust some of their most sensitive information to law firms, and they expect it to be kept confidential A is one of its biggest assets, and news of a security breach can severely damage a firm’s reputation.
How Cyber Attacks Damage Law Firms and Their Clients
Losing Clients’ Sensitive Data
Hackers gaining access to their clients’ sensitive data is the stuff of nightmares for any alert attorney today. Once hackers breach your security, they can steal your data and that of your clients to disastrous results including gaining access to financial accounts.
- Consider “the Panama Papers”. When Panama-based law firm Mossack Fonseca, the world’s fourth largest off-shore law firm, suffered a security breach resulting in the leak of 2.5 terabytes of data in 2015, the repercussions ricocheted around the world when it was revealed the firm was involved in creating more than 200,000 shell corporations in order to evade taxes. The fallout included the resignation of Iceland’s prime minister and Spain’s Minister of Industry.
- IN 2016, hackers breached the security of some of the most prestigious U.S. law firms in order to gain information for insider trading. Up to 48 law firms were affected, and it is estimated that the hackers used the confidential company merger information they gained to make over $4 million through illegal insider trading.
- In the UK from 2016 to 2017, more than £11 million of client money was stolen by cyber criminals
More Damage Cyber Attacks Cause Law Firms
Access to client data is only part of the havoc caused by cyber criminals. Of those who reported breaches in the 2018 ABA Legal Technology Survey Report,
How Cyber Thieves and Hackers May Attack Your Law Firm
Cyber criminals can attack in a variety of ways. Here are just some of them.
Phishing is when a message is sent or an item is downloaded that releases malware when the recipient clicks the mouse to open an attachment or download a file, Phishing attacks occur almost constantly, but here is one example. In 2012, hackers gained access to the computer of a bookkeeper of a Toronto law firm through a phishing ploy, probably through an email attachment or a free screensaver. The firm still doesn’t know for sure. Hackers were then able to record bank account passwords as the bookkeeper typed them. This gave them complete access to the firm’s trust account, which the firm used to wire funds to foreign countries. The firm lost six figures just over the December holidays.
Ransomware is increasing as a threat to law firms. Hackers encrypt a firm’s data and then demand to be paid in Bitcoins for the decryption key. Any size firm may fall victim. Ransomware usually enters a law firm’s systems through phishing. It encrypts data and thieves demand a ransom in exchange for a decryption key.
In a well-known incident in 2017, global law firm DLA Piper, which positions itself as expert on cybersecurity, was attacked by ransomware called Petya. The firm lost access to its data for a time and had no phones or email for three days. It lost access to old email for a considerably longer time.
Malware and Spyware
Hackers sometimes infect law firm computer systems with malware that causes disfunctions spies on the law firm. Serious consequences of a malware infection include loss of data and loss of data confidentiality.
The ABA Legal Technology Survey Report showed:
- 40% of respondents reported infections.
- 37% reported no infections.
- 23% reported they did not know.
Reported infections were
- Highest in firms with 10 to 49 attorneys (48%)
- Lowest in firms of over 500 attorneys (20%)
Cryptojacking is relatively new. Thieves use software to hijack devices such as laptops and cellphones and convert them into cryptocurrency harvesting devices. When new communications technology emerges, it often presents new opportunities to hackers. It is up to the law firm to keep up to date on technology and protect against threats.
Law Firms Are Lucrative Targets for Cyber Criminals
Law firms are favored targets of hackers for some very good reasons.
- One-stop shopping: If hackers can break into a law firm’s systems, they can gain access to sensitive and valuable data of not just one company but many – all the law firm’s clients.
- Particularly valuable information: Law firm servers may hold information that is very valuable, everything from businesses’ intellectual property to medical records to government secrets. If you’re going to take the trouble to break in, it makes sense to hack where the rewards are worth the trouble.
- Low hanging fruit: Many law firms have not adequately guarded themselves and their clients against cyber attacks.
As long ago as 2011, FBI representatives met with the 200 largest law firms to warn them that law firms are a prime target of hackers. As already mentioned, in 2016, the FBI warned that hackers were targeting large international law firms yet again.
Attorneys’ Cyber Standard of Care
Lawyers have been required to protect the confidential data of clients for quite some time. That’s nothing new. What has changed is how law firms must protect their clients in today’s climate of cyber threats. The commentary to Rule 1.1 of the Model Rules of Professional Conduct directs attorneys to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” A recent article on the ABA website says depending on various factors, that may mean firms must “monitor network activity, review IT reports, and perhaps employ a chief information officer (CIO) in developing, implementing, and maintaining appropriate cybersecurity programs” Failure to do so could result in legal malpractice claims.
Steps to Protect Your Law Firm and Its Clients
Keeping your client’s data and your own safe is an ongoing process that requires constant vigilance. There are many steps you can put into place, and the more you use, the safer is your data. This an area for experts, so the following steps are just starting points.
- Establish an Aware Firm Culture
Senior partners of the firm should make sure that everyone in the entire firm is invested in data security. They need to establish ongoing training about keeping data safe on all devices.
- Keep Your Firm on Its Toes
It’s not enough to just train everyone in your firm and then forget it. You need to retrain regularly and test people. You may even want to send fake “phishing” emails to see who clicks on them. Of course, this would be followed with more training. Continuous training is an important key to cyber safety, yet only 46% of law firms have cybersecurity training formally documented.
Institute Formal Policies
A frightening 45% of law firms do not have formal cybersecurity policies. Without policies in place to protect your data, train your people and respond if there is a breach, it is only a mater of time before your firm faces disaster.
Put Someone in Charge
If the size of your firm makes it possible, you will want your CIO to oversee your firm’s cyber security. If not, a firm executive could oversee it with the advice of the best cyber security experts you can find. 67% of law firms put cyber security management responsibilities on either IT Directors or Managers or some other non-IT executive at the firm. Don’t shuttle ultimate responsibility for keeping your firm safe to an IT manager.
Only 40% attorneys who responded to the 2018 ABA Legal Technology Survey Report reported that their firms have a disaster recovery/business continuity plan. Good backup of your data can protect you from ransomware that holds your data captive and malware that destroys it. After all, they can’t ransom your encrypted data to you if you already have it all someplace else.
Use Good Antivirus Software
It’s not enough to just use antivirus software. Make sure your antivirus software is effective and keep it up to date.
Keep Your Software Current
Use the most current operating systems and software, and promptly install software patches. The Equifax breach happened because the company failed to install a software patch.
Give access to data only to those who really need it. Sometimes employees themselves can be a threat, and even if they are not, they offer just one more point where a hacker can penetrate.
Be Careful of File Transfers
Proper file handling should be part of your training. For example, you do not want people to download them onto a flash drive and walk out the door with them. If they must be transferred, they should be encrypted and password-protected. You may also want to use a Virtual Desktop Infrastructure (VDI) so files are not stored on laptops but only on a VDI server.
Secure Your Email: Really Secure Your Email
Insist that all email is only sent from firm accounts which can be encrypted. You will need to enforce this policy, because it is easy for attorneys to fall into just sending important information from their personal accounts when they are home on the weekend. Also institute an email retention policy, so only email that is really necessary is still available.
Consider Outsourcing Your Cyber Security to Experts
If yours is not a very large firm, it’s highly doubtful that you have the kind of cyber security expertise in-house to give your data the most effective ongoing protection. And that doesn’t mean many of the largest firms necessarily have this kind of expertise either. To effectively protect your data yourself, you will need to set up a security operations center to inspect all your traffic, categorize it according to risk level, stop suspect traffic in its tracks and immediately repair damage. Of course, a solid crisis management plan must also be in place in case your systems are breached. And that’s just the beginning.
Law firm cyber threats change constantly. You need real experts who keep up with it. And if you do bring in experts, make sure they focus only on law firms.
Law firms have made a lot of strides in taking measures to protect against cyber risks, but not enough. Law firms should regularly assess their risks. Most do not have the expertise to do that and should look for the most qualified outside experts they can find to advise them. Technology is constantly changing and so are security threats. Establishing good cyber security is an ongoing process not a one-time or occasional event.
It’s time to prioritize cyber security: It requires professional expertise, sophisticated strategies and complex technology. It is not an overstatement to say that today the future of your firm depends on providing yourself and your clients with strong, effective security against hackers and cyber thieves.