Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Law Firms at a Crossroads: The New Paths to Safeguarding Data as Attacks Ramp Up

By Brian Lapidus and Keith Wojcieszek
October 01, 2018

Given the volume, depth of detail and uniqueness of the data they hold, law firms have emerged as prime targets for criminal networks. This comes as no surprise to most legal professionals and law firms who recognize the threat and have taken various steps to strengthen their defenses.

For example, the 2017/2018 Kroll-Legal Week Cyber Report found that more general counsel are taking a larger management role around cybersecurity issues: 45% said their role has expanded in the area of planning, 40% monitoring, 37% reporting and 43% responding to a cyber incident. From another perspective, a survey of 200 U.S. law firms last October revealed that 41% were planning to increase spending on cybersecurity tools and services in the next 12 months.

Yet, despite greater attention and increased spending, significant data breaches at law firms of all sizes continue to make news. From our investigative experience and what we know from global law enforcement agencies, law firms are being targeted by mainly a few tiers of cyber criminals. They range from ultra-sophisticated, well-backed criminal enterprises after specific high-value data to thieves looking for the easy win at firms with lax security.

Equally troubling, breached law firm data is showing up on the dark web alongside data that was not stolen, but rather accidentally exposed by employees or third parties. In May 2018, Kroll performed an analysis of the deep and dark Web, and for every law firm in our sample, we found company emails and passwords up for grabs, creating a clear risk for fraudulent credential reuse. The source in many cases: employees who used their company email addresses to sign up for third-party services.

Sample list of business email credentials and post on dark web forum selling access to larger database

|

With the Trust of Clients At Stake, Law Firms Are At a Cybersecurity Crossroads

At the heart of every attorney-client relationship is the client's expectation that all forms of communications will be privileged and kept in strict confidence. In fact, the protections afforded by attorney-client privilege are why many clients primarily seek help from attorneys instead of potentially other professional advisors. The thought of client information breached, sold or otherwise divulged is the stuff of lawyers' (and their clients') nightmares.

Because current cybersecurity strategies are often coming up short, law firms should consider a more holistic approach, one that addresses data security from multiple directions but in an integrated way. Defensive measures continue to be a vital part of the security equation, but today, best practice also calls for sophisticated threat hunting, detection, investigation and response capabilities. This is the path to cyber resiliency, which enables you to more quickly and effectively neutralize harm caused by cyber criminals.

Cyber resiliency starts with a better understanding of the fundamentals: What do hackers want and why? How are they getting past existing defenses?

Cyber criminals are among the most inventive and motivated people on the planet when it comes to monetizing data. The data held by law firms is particularly valuable because it can be leveraged in a multitude of ways — e.g., facilitating insider trading, setting up sophisticated counterfeiting operations, getting to government patent/trade offices or to market first by stealing intellectual property, running blackmail schemes or exercising personal vendettas that ruin reputations. Of course, there is always the irresistible appeal of stealing the identities of wealthy or well-connected clients for financial or other personal gain.

Data losses at law firms can often be traced to one of three primary attack vectors:

1. Phishing/Spearfishing/Business Email Compromise. This is currently the most common method of attack. On average, 12%-30% of people click on phishing messages.

2. Three main delivery methods account for the majority of ransomware infections: a user visits a compromised website that hides malicious code; a user opens a malicious email attachment; or a user clicks on a malicious link within an email message.

3. Distributed Denial-of-Service (DDoS) Attacks. By overloading a firm's servers, criminals severely disrupt the firm's ability to conduct business. However, DDOS attacks may also serve as a distraction to conduct a more sophisticated attack.

|

People, Processes, Technology: Three Pillars of Cyber Resiliency

In our experience, organizations are best positioned to mitigate data-related threats if they take a multidimensional approach to cybersecurity. Whether you are a GC involved in managing cyber risk for your firm or a law firm of any size or clientele, the same principles apply: Integrate strategies that address people, processes and technology and you will be in a stronger position to protect your data, ultimately safeguarding your reputation and vital client relationships.

The vast majority of cyber-related vulnerabilities can be traced to staff and third parties who accidentally or deliberately don't follow security protocols or are tricked into downloading malicious code.

Executive leadership and managing partners must set the tone at the top that information security is everyone's responsibility.

Make employees and third parties your first line of defense by delivering ongoing security awareness campaigns and training, and then testing that training. Periodically remind users of basic best practices that include using company email accounts strictly for internal and client communications and carefully examining all incoming emails before clicking on any link or attachment. Also, employees should know how to raise an alert if they accidentally click on or open something suspicious.

Many organizations, including law firms, are finding great value in having a Chief Information Security Officer (CISO) on their executive team. This expert has the specialized technical knowledge and corporate governance experience to help organizations develop risk-based strategies appropriate for their needs. Engaging a virtual CISO on an interim or longer-term basis can be a good option for smaller firms or those in the midst of conducting an executive search.

Several resources exist to help law firms create and implement policies and processes that promote information security, such as best practices outlined in SOC 2, ISO 27001, the NIST Cybersecurity Framework or CIS Controls.

At a minimum, law firms should have policies that address acceptable uses of corporate IT resources, data classification and “principle of least privilege,” mobile resources and social media, to name a few. Staff as well as third parties should be required to comply with all policies.

Additionally, law firms should strongly consider using restricted client portals that encrypt documents and messages to promote greater security. According to the American Bar Association TechReport 2017, many law firms aren't using encryption for emails to clients, leaving the door open for hijacked communications, spoofed emails, etc.

Given enough time and resources, a cyber criminal will eventually find a way into your law firm's systems. Therefore, a more effective technology trend has been to deploy endpoint threat monitoring solutions, the most sophisticated of which reduce the burden of dealing with false positives and enable quick containment and remediation efforts.

Investing in a dark Web monitoring solution can also alert you of potential threats that can originate from outside your network. For example, Kroll recently found several highly sensitive and attorney-client privileged documents belonging to one of our clients, a Fortune 100 global financial services company, exposed on the dark web. The source: a paralegal for one of our client's outside law firms who was inadvertently disclosing this content while accessing free music and movies on P2P networks.

Clients need to know that their attorneys are protecting the sensitive information entrusted to them, and law firms need to take steps that signal their commitment to modern data security. By adopting more effective cybersecurity measures, law firms can help keep criminals at bay, preserve the trust of clients and stand out as a provider of choice in today's highly competitive legal and professional services market.

*****

Brian Lapidus is Practice Leader of the Identity Theft & Breach Notification (ITBN) based in Kroll's Nashville office. Brian helps clients and their advisors, including boards of directors, legal counsel and insurance providers, resolve the myriad complex issues resulting from a data breach. Keith Wojcieszek is an Associate Managing Director in Kroll's Cyber Risk practice, based in Washington, DC, Keith joined Kroll from the United States Secret Service, where he served with distinction for 15 years.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
Generative AI and the 2024 Elections: Risks, Realities, and Lessons for Businesses Image

GenAI's ability to produce highly sophisticated and convincing content at a fraction of the previous cost has raised fears that it could amplify misinformation. The dissemination of fake audio, images and text could reshape how voters perceive candidates and parties. Businesses, too, face challenges in managing their reputations and navigating this new terrain of manipulated content.

How Secure Is the AI System Your Law Firm Is Using? Image

What Law Firms Need to Know Before Trusting AI Systems with Confidential Information In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.

Warehouse Liability: Know Before You Stow! Image

As consumers continue to shift purchasing and consumption habits in the aftermath of the pandemic, manufacturers are increasingly reliant on third-party logistics and warehousing to ensure their products timely reach the market.