Common Cyber Threats to Law Firms and How They Can Protect Themselves

Introduction

Law firms handle a massive amount of confidential information, like first and last names, home addresses and financial data to important litigation strategies for upcoming cases. Needless to say, they are an absolute gold mine for hackers to target. Even though cyber attacks have increased amongst various industries, many law firms (and small businesses in general) continue to rely on outdated security practices. This could be either due to a lack of resources needed to dedicate to strengthening IT efforts or simply ignoring and believing what they currently have is enough. Regardless of the reason, this type of approach is simply an accident waiting to happen. Cyber attacks have grown far more sophisticated than we’ve ever seen and can have long lasting consequences. Data losses, irreversible reputational damage and significant financial losses are just a few of the ramifications as a result of a successful cyber breach. Firms that refuse to address their cyber architecture are bound to be the victim of an attack and without the proper mitigations in place, it could be too little too late.

High Profile Firms Who Have Been Breached

• Cravath Swaine & Moore and Weil Gotshal & Manges

• Orrick, Herrington & Sutcliffe

• Grubman Shire Meiselas & Sacks

• Jenner & Block and Proskauer Rose

Cyber criminals are always looking for a way in and as attack methodologies continue to evolve, law firms must adapt as well.

Today’s article will go over the threats firms in the legal industry face and some of the best practices they can implement to avoid the majority of problems.

Common Threats Facing Law Firms

Most times, hackers are looking to breach systems to steal what they can no matter what it may  be. Some of the most common threats to law firms are ransomware, advanced persistent threats, phishing scams and probably the most detrimental, human error.

Ransomware

Ransomware is easily the most frequently used technique for hackers to gain access to steal information. It is a form of malware that once executed, will lock out authorized users until certain demands are met. Those demands can be anything from paying a few thousand to millions of dollars or requiring certain information to be released to the hackers responsible for the attack. Ransomware will bring any business’ operations to a screeching halt because systems are inaccessible and the networks that rely on the systems are down. Because legal matters tend to be time sensitive, firms are more likely to give into demands and therefore will become more susceptible to future attacks.

Ransomware can be executed in different ways, such as clicking a strange link, downloading a random file or through exploits. Once completed, threat actors have what they need to prevent others from gaining access and pretty much forcing law firm’s hand.

Advanced Persistent Threats (APT)

Advanced Persistent Threats (APT) are a type of malware used by cyber attackers to get into systems and networks, usually undetected, and steal information. The purpose of these is to play the long game, linger within a network long enough to steal as much information as possible. Unlike other tactics, an APT will hang around for months and possibly years if undetected long enough, while combing through a business’ systems for any sensitive data (financial records, intellectual property, etc). Most types of cyber attacks have a “hit and run” approach, meaning they strike once and may go away. APTs on the other hand can be extremely complex and potentially avoid detection methods while slowly achieving its goals.

Phishing

These types of attacks are when scammers will try to emulate a legitimate person or company to trick a user into handing over personal information. Some of the common ways phishing messages are structured include requests for sensitive data, urgent or threatening wording, super generic greetings, unfamiliar senders or grammar mistakes. The overall goal is to use emotionally charged language to manipulate someone into acting first without thinking. Although simply opening an email won’t always have adverse effects, clicking on a link or downloading an attachment can and will cause catastrophic damage that can be extremely difficult to come back from.

Human Error

When it comes to the cybersecurity chain, humans will (unfortunately) always be the weakest link. A law firm can have the most advanced technology available, but it takes just one mistake to completely destroy everything. For the most part, it doesn’t matter what tools or software a business has if the employees are not properly trained up on how to use those tools and being aware of common cyber threats they should be aware of. If a person thinks they’re speaking to the official helpdesk service and hands over their login credentials or clicks a button because they believe they need to “update their bank information”, then it is only a matter of time until the firm suffers greatly.

How Law Firms Can Protect Themselves

Because cyber threats are always lurking and looking for ways to infiltrate systems, there are ways to prevent said threats and protect both client and organizational data. Backing up data, a zero trust architecture, strong password policy and consistent employee training are all effective.

Data Backups

Having a consistent backup schedule can be super helpful in the event of a cyber attack or if other issues arise. The overall point is that if for example, a cyber attack does occur and criminals are holding a business’ data for ransom, the business is not forced to give into the demands and can restore their systems from the backups. As a result, continuing their operations as usual. The key with this approach is to implement a schedule that makes sure that the data being backed up is not too outdated and have a cut off date for older backups to reduce storage space/costs. Firms will also need to have backups stored remotely so that hackers are not able to access those as well.

Zero-Trust

A zero-trust architecture is essentially when a firm’s infrastructure trusts no one. No matter if you are an entry-level employee or the CEO, everyone has to authenticate themselves. It does not assume anyone is who they say they are. This minimizes access and relies on the assumption that someone unauthorized may already have access, which results in a stronger and more resilient security model.

Strong Password Policy

A law firm having a strong password policy is super simple but an extremely effective cybersecurity measure. A password policy outlines password length, what characters are accepted, how often they need to be changed, password re-use, storage, resetting passwords, user responsibilities and possibly MFA if already included. The intention is to reduce the amount of weak passwords that could be exploited. Even though some passwords can be easy to remember, hackers think the same way. It’s important to remember that passwords should be unique to the user and as difficult as possible for a third-party to guess.

Employee Training

Lastly, employee/staff training should be prioritized like anything else. As mentioned before, far too often do law firms (and other businesses) solely rely on technical tools to strengthen their security measures. And while this can be effective, if your staff is not properly trained on how to prevent breaches and their role in the overall security framework, a breach is far more likely to occur. Unfortunately, what typically happens is a business will implement tools and software believing they are fully protected, not realizing that those tools have to be configured properly and securely. And the employees must be taught how to move securely in the cyber world as well as identifying potential threats when they come about. Threats are more often digital but they will often target humans and prey on their inexperience.

Conclusion

All in all, cybersecurity is a consistent effort, relying heavily on both strong tools and humans remaining aware. A strong security posture cannot depend solely on humans being knowledgeable or having the right tools. In order for a law firm to operate securely, it is necessary for staff to be aware of the proper security measures while software being configured to protect internal and client data.