Law Firms are a Prime Target for Cyber Criminals
By Robert H. Alexander, CPA/ABV/CFF, ASA
It is reported at least 80 of the 100 largest U.S. law firms have been hacked in the past five years.
Protect Your Organization at Every Level
Imagine coming in one morning to find your law firm has been hacked. The firm has already engaged a cyber forensic group to determine the impact. They quickly determine that one client file appears to be the target – and it gets worse. It is one of the firm’s largest litigation cases – ongoing for several years with huge amounts at stake on both sides of the litigation.
As the investigation continues, they find that virtually every document related to that client has been copied, even the files on individual attorney’s hard drives have been accessed. The hackers also invaded the telephone and video conferencing systems allowing them to listen and even see into private meetings and attorney conferences. They know your case strategy, the client’s settlement range and your most serious concerns about the case.
Think it can’t happen? Not only can it happen, but for an experienced hacker it is easy…
Imagine having to tell clients you’ve been the victim of cybercrime. Or worse, your clients hear about it through their business grapevine. As part of your day-to-day operations, you regularly access and store sensitive date. What if hackers gained access to confidential merger and purchase agreement documents in order to profit through insider trading? Or if they leaked the information publicly to derail a deal. There is much at risk.
Security breaches can be devastating to law firms – inflicting long-term damages to your brand and client loyalty, as well as creating legal and financial repercussions. The loss of trust will be hard to repair. And you will not always know immediately if your firm has been hacked. Often, the hackers steal large amounts of information indiscriminately and then analyze it later to determine how they can profit from it. Forbes reports the average cost of a data breach has now reached $4 million. The longer the breach goes undiscovered the costs balloon to an average of $4.38 million for repairs and reparations.
Why Do Hackers Target Law Firms?
Hackers do not breach the security of law firms for credit card account or employee information. Organized cyber criminals want to gain access to the vast repositories of confidential information that law firms retain – details of an upcoming client merger, acquisition, trade secrets, patent filings, competitive information, business plans or documents for an upcoming trial – it is valuable for insider trading, blackmail, ransom or to gain a competitive advantage. And the reality is that hackers have an easy time gaining access because law firms are typically under protected against cybercrime.
Law Firm Breaches Growing in the News
Any indication that data isn’t secure results in a lack of client confidence, so most law firms fail to disclose breaches publicly. However, we are now frequently seeing news articles around hacks. In fact, in Cisco’s 2015 Annual Security Report, they named law firms as the 7th highest target for cyber criminals.
- In January 2016, it was revealed that nearly 50 elite law firms had been the target of a Ukrainian plot to collect confidential client information such as merger agreements, letters of intent, confidentiality agreements and share purchase agreements in order to trade on insider information and launder the money. The breach likely occurred in 2015 but many firms were not aware until this year and the level of information compromised is still unclear.
- In February 2016, lawyers from top U.S. firms were targets of a sophisticated phishing attack from Russia where the email appeared to originate from an assistant at a trade journal and asked to profile the lawyer for excellence in M&A. Those that completed the survey provided cyber criminals with sensitive information that could be used for stealing identities and passwords to breach their networks.
- In mid-2015, hackers broke into the computer networks at law firms working on mergers & acquisitions including Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, which represent Wall Street banks and Fortune 500 companies.
- The American Lawyer recently reported an increase of ransomware attacks. One firm in the article did not know it had been compromised until the hacker sent a screenshot of the stolen data with the threat to release it publicly if they didn’t pay. The firm paid a seven-figure ransom. Other ransomware attackers will encrypt files so they’re unreadable and then demand money to restore the data.
Many Ways to Gain Access
Cyber criminals can infiltrate your organization through a host of entry points including:
- Employees often unwittingly open the door – Human error and oversight are the most common causes of security breaches. Attorneys and their assistants are often at blame. If your employees are not adequately trained, they can expose the firm to breaches by malicious attacks, phishing, scams, and even disgruntled employees. Law firms often receive emails from people pretending to seek legal representation – with the real goal of breaching their system.
- The Internet of Things (IoT) creates vulnerabilities – Cyber criminals seek softly protected targets and once inside corporate systems, they can gain access throughout. Any system or equipment that connects to the Internet – printers, servers, conference phones, security cameras, and even HVAC systems give cyber criminals access into your systems. What if your private conference calls were recorded by an outsider or if everything you printed or scanned was leaked? Imagine the chaos if someone could go into a shared calendar and delete every appointment. It would create a mad scramble before a trial.
- Third party relationships account for 60% of breaches – Partners and third party vendors that connect into your systems create openings to your sensitive information. With the increase of integrated technology and cloud solution providers, legal systems are often connected to a host of other systems – even client connections. A law firm’s security is only as secure as its weakest link. Firms must ensure that every third party that has access to their systems maintains equivalent security standards.
How to Protect Your Firm from Cyber Risks
- Make cyber security a priority
As law firms become an increasingly attractive target for hackers, it is time to put your house in order, implement aggressive protective actions and remain vigilant to catch problems before they occur.
- Implement advanced penetration testing
To clearly understand your firm’s vulnerability to cyber threats, hire an expert third party team to implement a true penetration test. These tests emulate the behavior of hackers to reveal what they can see in your organization. You will then have a guide for your weaknesses, vulnerabilities, and an action plan for making changes.
- Educate employees of the risks and their responsibilities to protect the firm
Since most breaches are caused by human error or oversight, education will minimize your risk.
- Change passwords on IoT devices and systems
With the explosion of systems and devices connecting to the Internet, make sure your passwords are often changed, managed, and monitored.
- Ensure third party vendors maintain your security standards
Remember that your system security is only as protected as its weakest link. Audit your existing third party vendors to ensure they maintain your standards and require new vendors to demonstrate their security practices.