Law firms are a lucrative target for all types of cyber crime — and it’s no wonder why. From personally identifiable information (PII) and intellectual property (IP) to business transactions, the legal industry processes unmatched volumes of valuable, confidential data.
Unfortunately, the cyber security at most law firms isn’t cutting it. Research from the American Bar Association (ABA) found that nearly one-third of surveyed attorneys experienced a security breach in 2020. A single incident can instantly damage client relationships and devalue years of hard work — especially if sensitive data gets compromised.
Read on to discover four major threats facing the industry, and how to improve the cyber security at your law firm.
1. Credential theft
Last year, 61% of data breaches involved the use of stolen credentials, making this a major risk to firms. It often starts with a malicious email designed to trick partners, lawyers, or staff into sharing login information.
If successful, the cyber criminal may sell the credentials or move further into the IT network to compromise sensitive documents and client data, edit or delete contracts, reset passwords, or cause other damage. And, since the attacker is using a legitimate account, it can be hard to detect something is wrong until it’s too late.
If an attorney, administrator, or even third-party reuses the same credentials for different portals, this type of attack can quickly spin out of control. Using a password manager to create, store, and retrieve unique passwords for every account (and following cyber security best practices) is a quick way to reduce the impact of credential theft.
2. Financial redirection
Financial redirection occurs when an attacker intercepts payment between you and your clients. After gaining access to your email — often through credential theft — they may lay low and study activity to learn your billing process, business relationships, and payment schedule.
For example, right before you’d typically issue invoices, an attacker may email clients from your account asking them to redirect payment to a new location. Because the request appears to be coming from you, a trusted professional, they’ll likely assume this is a legitimate update.
Once the payment goes through, the attacker closes the bank account, erases evidence of any presence, and walks away with your clients’ money. Unfortunately, a single financial redirection attack can cause irreparable damage to a firm’s finances and reputation.
Ransomware, a form of malware that encrypts important files and information, may also begin with a malicious email. Or the cyber criminal might exploit a vulnerability, such as an outdated operating system, to gain entry and launch the malware.
In the past, victims would then receive a note demanding payment in exchange for data back. But today’s attackers often take a new approach. Rather than lock or delete your files, they’ll make copies and threaten to publish them.
Both outcomes can be devastating. Since most lawyers bill by the hour, losing access to critical case files will cause immediate financial damage. And, because you work with confidential information daily, having it publicly exposed could crush client trust and potentially lead to a lawsuit.
Backing up data in the cloud is an important precautionary step — but it’s not a guarantee. What’s worse, paying the ransom also doesn’t mean you’ll get your assets back. The attacker may still delete or publish files after receiving their money.
4. Nation-state attacks
The nature of their work means lawyers often hold national secrets, intellectual property, or other private data. This makes the legal industry a unique target for nation-state attacks launched by foreign governments (or, similarly, state-sponsored attacks carried out by cyber criminal groups).
REvil, a Russia-linked ransomware group, targeted entertainment law firm Grubman Shire Meiselas & Sacks last year. The hackers claimed to have stolen 756 GB of sensitive data, demanding $21,000,000 in payment.
Both nation-state and sponsored attacks are highly sophisticated and a major risk. In fact, Microsoft recently reported on a state-sponsored threat, Hafnium, that’s currently targeting law firms and other US organizations.
Your practice may be particularly vulnerable if you have information that helps the attackers’ mandate or gives the companies in that country a leg up on their competition. Unlike amateur hackers, these groups can be extremely skilled and persistent. Following best practices and having strong cyber security is necessary to defend against them.
Why cyber security matters for law firms
Attack frequency, size, and scope are increasing
Years ago, cyber attacks were simplistic, infrequent, and rarely front-page news. For the most part, cyber criminals were acting alone, hacking into systems for fun or notoriety.
But they’ve quickly evolved. Since the DLA Piper breach in 2017, there has been a steady stream of similar attacks. Last year alone, we saw breaches at several well-known practices, including Seyfarth Shaw and Fragomen, Del Rey, Bernsen & Loewy.
Attackers have become organized, with more skill and speed than ever. It’s no longer just the Fortune 500 companies at risk, it’s everyone — including law offices like yours.
It’s important to clients
Trust is everything in the legal industry. Experiencing a security incident will damage the reputation and integrity of your firm.
Existing clients will look for representation elsewhere if you lose IP or other confidential data. Prospects will look at your cyber security posture before signing a contract. Gaps in defence could mean the difference between winning a lucrative contract and losing out on a major opportunity.
You may have a legal obligation
Cyber security regulations for law firms are heating up. There are a growing number of state and federal laws governing data privacy, including:
- The General Data Protection Regulation (GDPR)
- The Personal Information Protection and Electronic Documents Act (PIPEDA)
- The California Consumer Privacy Act (CCPA)
Failure to comply poses a serious risk. Your practice could face lost business, six-figure fines, and even prosecution. Beyond legal compliance, you may be ethically liable for improving your defence.
Hybrid work environments are at greater risk
A hybrid workplace — one that combines in-office and at-home workers — will likely become the new working norm. This business model allowed operations to continue last year despite strict health measures, but also introduced new remote working cyber risks and threats.
Now that confidential client information is spread widely across a distributed, virtual environment, there’s more pressure than ever to implement a strong, end-to-end defence.
Protect what matters most
It’s important to think about cyber security holistically. You need a full view of the entire IT environment — networks, cloud services, devices, remote users — to protect your teams, clients, and data. But this can be hard and often requires specialized skills to make sense of data and prioritize threats.
With Field Effect’s Covalence, you get a complete cyber security solution, with intelligence-grade technology that monitors your full IT environment and a team of experts offering 24/7 support.
Want to stay up to date on cyber security risks and tips, webinar invites, and more? Sign up for our newsletter below.