DLA Piper Isn't Alone — 40% of Law Firms Unaware of Breaches

The DLA Piper attack has legal professionals paying attention, but cyber attacks on law firms are far from unique.

According to a recent report from IT security provider LogicForce, hacking attempts were made on over 200 U.S. law firms between 2016 and 2017, 40% of which didn't even know that they had been breached.

Titled “The Law Firm Cybersecurity Scorecard,” the report is the first of a quarterly effort by LogicForce intended to educate both law firms and the corporate legal departments that would hire them of the security issues impacting their industry. John Sweeney, president of LogicForce, says the results present “plenty of opportunities for corporate legal and law firms to get on the same page” with cybersecurity, and that there are “a lot of opportunities for law firms to tighten up their controls and get onboard with what their corporate clients are requesting.”

“We're finding some areas to be consistent across a wide variety of firms, both big law and small law, that it doesn't take a lot to improve,” Sweeney says. “We want to educate the industry on, 'Hey, you don't have to be spending millions upon of millions of dollars to tighten up controls that your corporate clients want to see in order to secure your processes and keep up with your obligations to protect.”

Indeed, many of the security issues found at the law firms surveyed were consistent. Despite the frequency with which breaches are linked to third parties (63%), the majority of law firms (80%) don't vet them. Similarly ubiquitous is law firms' lack of compliance with their own cybersecurity standards — 95% of firms weren't compliant with their own data governance policies; further, all of those firms also weren't compliant with their clients' policy standards.

The report also found that the types of threats facing law firms didn't vary much, although they occurred relatively often. Across the law firms surveyed, LogicForce found that there were about 10,000 network intrusion attempts daily, while there were about 1,000 invalid login attempts on a daily basis. Additionally, 59% of all emails were classified as phishing/spam emails, though these included what the report called “benign marketing annoyances” as well as emails that were “more malicious and costly.”

Phishing has been a significant cyber threat for years, playing a significant role in spreading the WannaCry attacks that impacted organizations across the world in May.

Discussing those attacks, Rob Silvers, a partner in Paul Hastings' cybersecurity practice, told our ALM sibling, Law Technology News, that phishing “is very common, and other ransomware strains rely on that same attack vector. So it's really important that companies double down on their counter-phishing training for their employees.”

And while he doesn't “like to blame the victims,” Silvers added, “There are measures that companies simply have to take to protect themselves and their shareholders and their business partners.”

Employee training is a commonly cited prevention measure for organizations, cited among the “10 Basic Cybersecurity Measures” for reducing cybersecurity attacks distributed as a joint effort between the U.S. Department of Homeland Security and the FBI. Speaking about the WannaCry attacks, Ed McAndrew, a cybercrimes prosecutor and data security lawyer at Ballard Spahr, says: “What it shows is you don't need to have the biggest security budget in the world. You need to employ basic cyber hygiene at the very least.”

Timothy Murphy, president of Thomson Reuters Special Services, explained on a June panel about law firm cybersecurity that firms can begin mitigating risks immediately at a moderate cost with high impact. Among his suggestions were figuring out what data needs to be protected, tightening security controls, patching operating systems and applications, and implementing two-factor authentication and encryption.

“This is the most significant threat this country, businesses and law firms face,” Murphy added.

***** Ian Lopez writes for Law Technology News, an ALM sibling of Cybersecurity Law & Strategy. He can be reached at [email protected].