Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Law Firms Facing Unprecedented Cyber Risk

By Mark Sangster
October 01, 2016

For years, various government authorities and security experts warned the legal industry about the proverbial cyber target painted on their chest. And while a cornucopian crop of headlines bloomed about data breaches, most concentrated on major retailers or recognizable brands. Given nebulous reporting legislations, the data breaches at law firms remained below the press horizon. But you can only dodge so many bullets until one hits the industry square in the chest. Recently, the legal industry found itself in the spotlight as story after story about data stolen from law firms surfaced. And the media frenzy culminated when Mossack Fonseca became the poster child for hacked law firms, earning the moniker of the Panama Papers.

If the multi-law firm hack story was the first shot over the bow, then the Panama Papers leak will become a torpedo. With a record-setting data heist and enviable client list of who's-who in government, business and entertainment, the Panama Papers leak struck a chord and unequivocally confirmed that legal wasn't just a target ' it is the target. And it is a bellwether for an industry in a fugue, unable to conceive that their firms held anything of value; certainly not anything worth stealing. Well, it turns out that boring old shell companies and tax filings had a value.

Law Firms Are Full of Sensitive Data

It doesn't matter the size of your firm. Large or small, your firm houses a treasure trove of sensitive data. From personally identifiable information (PII) to M&A transaction details to contracts and plans, every piece is desirable in the eyes of cybercriminals. Sure, larger firms have long felt that they're not as vulnerable to attack. They've been confident in the technological defenses they've established to protect their sensitive data, and until recently they haven't felt the need to question the efficacy of that technology.

Small- to mid-sized law firms are at even greater risk. Unlike their larger peers, smaller firms simply don't have the budget and resources to allocate to internal IT management and technology investments. In many cases, these bootstrapped firms are lucky to simply have the most basic technology in place, such as anti-virus systems or firewalls. For these reasons, they're perceived as an easy mark through the eyes of attackers, and widely recognized as a conduit to larger targets.

Hackers Focus on People, Not Technology

In addition to evolving risk vectors, the nature of attacks themselves has shifted. Attackers no longer fear technology because they know they can evade it. Recent successful breach events amplify that reality. Today's popular attacks focus on something far more malleable than technology. They focus on people and their innate human nature. We all get busy. Dreadfully so. And it's when we're busy that we become careless, particularly when it comes to our e-mail inbox. This is when we're most vulnerable to the epidemic that is e-mail spoofing.

Spoof e-mails have undergone a transformation. Once riddled with spelling errors and inaccuracies, malicious content today is cleverly veiled in glossy, seemingly legitimate corporate branding. The correct names are usually in the correct places, and the contents of the e-mail always appears to be reasonable and typical of interoffice or vendor communications. As a result, phishing and Business Email Compromise (BEC) are now big business for cybercriminals. The Ponemon Institute reported that large companies now spend an average of $3.7 million a year dealing with phishing attacks. See, “2015 Cost of Breach Data Study.” All firms have become a desirable target for phishing and BEC attacks.

Legislation and Guidance

Staggering breach cases are driving a larger conversation. At a micro level, cybersecurity is quickly becoming a paramount issue for firms, whether large or small. At the macro level, industry, national and governance discussions are turning their sights to the legal industry. The U.S. government's Cybersecurity National Action Plan (CNAP) passed last December, and the Cybersecurity Act of 2015 officially ushered the government's resolve to guard the pillars of the U.S. economy from cyber threats and attacks. At a governance level, the industry is scrambling to ramp frameworks and measurements with industry peers like the SEC, who since 2014 have worked to establish regulatory compliance measures through a formal examination process and comprehensive frameworks.

The ABA, recognizing increased pressure from national compliance efforts and imminent threats from an unseen army of cyber attackers has worked to architect a set of cybersecurity guidelines, as outlined in its 2014 Cybersecurity Handbook. The handbook has quickly become an indispensable tool for firms that don't know where to start. It outlines several pillars of regulatory focus, including: gaining an understanding of what assets and sensitive data the firm has; who the regulators are; which threats are targeting the firm; what protection firms have in place to guard against attacks; what risks exist; and, whether firms can demonstrate cybersecurity claims.

Essentially, cybersecurity management can be divided into two clear buckets: the first focuses on policies and planning, while the second centers on the day-to-day mechanics of cybersecurity and what kinds of frontline defenses firms have in place to block or mitigate attacks.

Often, even tackling these questions can be a daunting task for firms, particularly those that don't have an in-house team to answer them. Commissioning a full, independent security assessment is a good place to start. Security assessments are an effective way to assess your current security posture and identify gaps in your processes, programs and technologies. An independent security assessment not only helps firms build and augment their cybersecurity programs, but it also helps prepare a response for clients who will request an audit report detailing your firm's posture. A security assessment provides the clear direction you need to build your program, policies and defense inventory. An assessment also benchmarks your firm against that of your peers, examining the kinds of threats targeting you, and security considerations that fit your organization based on those benchmarks.

The ABA's Tech Report, released late last year, revealed that on average, less than half of responding firms have firm technology or security policies in place. With the number of vulnerable attack surfaces in any given firm, security policies are an essential first step when it comes to defending the firm. Just as critical are framework documents like NIST, which fuses practices, guidelines and standards to protect critical infrastructure. The framework helps to prioritize and manage cybersecurity risk, and presents a sturdy platform to further policy and program development.

Security Areas to Address

Within data and network protection there are several vectors that should be addressed: security models, network assets, policies and procedures, data encryption, remote banking/transfers and mobile device management. The Tech Report found that 62% of respondents reported that their firm had not experienced a breach. But with so many threat surfaces, it's unknown how many of those respondents suffered a breach and didn't detect it. The Panama Breach case is a prime example; the firm claims that its mammoth data leak was a result of a year-old, undetected breach. One may assume that a firm like Mossack Fonseca would have fairly robust security in place, particularly given its top-tier client base. While the root cause of the breach hasn't been reported, it has been speculated that the breach was the result of a sophisticated cyber-attack, one that cleverly evaded whatever perimeter defenses Mossack Fonseca had in place.

Conclusion

While the fate of Mossack Fonseca remains to be seen, lesser breaches have caused firms to shut their doors entirely. Universally, attorneys are fundamentally obligated to protect their clients' confidentiality. By extension, firms are required to ensure that the technology they use in no way subjects client information to an undue risk of disclosure. Pair this with the breach cases impacting firms, and suddenly firms face greater pressure, more scrutiny and evolving regulatory implications. Clients are taking data protection into their own hands, running due diligence that requires that firms demonstrate the mechanisms they've build to protect sensitive data.

The legal industry was founded and is fueled by professionals driven by curiosity and the desire to ask “why.” Cybersecurity has gone from simply being IT's problem, to becoming everyone's problem. If your firm doesn't currently have cybersecurity initiatives underway, start the conversation. Ask the questions. Turn to your governance resources such as the ABA and leverage the tools they've created to drive momentum in your firm. Collaborate with peers through intelligence sharing forums like the Legal Services Information Sharing & Analysis Organization (LS-ISAO), which was founded to facilitate threat sharing amongst firms. The cybersecurity terrain is ever evolving. Consider this: Today's fastest growing and most successful threats originate from a human culprit. You need human-driven defenses to stop them; technology simply won't cut it.


Mark Sangster is the VP and industry security strategist with managed cybersecurity services provider eSentire. He is also a member of the Board of Editors of our sibling newsletter, Cybersecurity Law & Strategy and may be reached at [email protected].

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.