The American Bar Association reports that 26 percent of firms with 500 or more attorneys experienced a security breach in 2016. Global law firm DLA Piper suffered serious computer attacks in June 2017 that prevented employee access to emails and documents.
What makes legal firms attractive to hackers?
Very simply, it’s the client data. Law firms have a wide array of such data, including intellectual property, security trading, M&A activity, and more.
Daniel Garrie, Global Head of eDiscovery, Forensics, and Cybersecurity Practices for Law & Forensics LLC, says “If you think about the law firms that just do mortgages, for example; getting a fully detailed mortgage package with social security numbers, bank account numbers, wiring information — that’s a pretty interesting piece of information.”
And the legal industry, like all others, has most of this data stored digitally where it is accessible by internal and external threats.
Tactics to ensure law firm cyber security
Legal firms have several tactics they can take to reduce the risk of an attack from an insider (through negligence or malice) or an outsider.
Identify your sensitive data. You can’t protect what you don’t know about. A risk assessment and data inventory can help determine the most sensitive data, where this data resides, and who has access to the data.
Determine who is responsible for security. Many firms may not want to make the initial – and ongoing – investment in establishing an in-house security practice. In this case, evaluate outsourcing security and consider moving data to a cloud environment with state-of-the-art security and the ability to stay on top of emerging threats.
Establish a policy. Craft a security policy that clearly outlines how employees should protect data. Require employees to sign-off on this policy, and regularly update the policy.
Cover the basics. Whether you are handling security in-house or outsourcing, implement the foundational elements like firewalls, encryption, strong passwords, virus scanning, and similar essentials to protect your network.
Use a least-access privilege policy. Based on your data inventory, ensure that only those employees who need access to your most sensitive data have that access.
Implement ongoing monitoring. The Law Firm Cybersecurity Scorecard uncovered an especially chilling statistic: 40% of surveyed law firms had experienced a data breach in 2016 and did not know about it. Ensure your in-house or outsourced team is actively listening for threats. Online monitoring solutions allow you to identify users accessing sensitive data and secure data from leaving the firm via email or file uploads.
Train your team. Beginning at onboarding, ensure all team members have a good understanding of basic security practices, can identify phishing emails, and are aware of proper data handling procedures.
“Law firms are the subject of targeted attacks for one simple reason,” says John Sweeney, President of LogicForce. “Their servers hold incredibly valuable information. For hackers looking for information they can monetize, there is no better place to start.”
For additional guidance and resources, the ABA’s Cybersecurity Legal Task Force has published the ABA Cybersecurity Handbook, a tool to help understand, prevent, plan for, and respond to a cyber breach.