Cyber attacks on law firms are among the most persistent and potentially devastating threats, putting everyone in the legal profession at risk.
Your law firm could be targeted next. Just imagine the reputation loss and fines if your firm suffers a cyber attack where confidential client data is compromised. Would you be able to respond, recover, and repair your damaged brand?
In the U.S, the American Bar Association (ABA) reported that 1 in 4 law firms (25%) is a victim of a data breach, ranging from user error, hacking, or other malicious activity. The UK sets this figure much higher — in 2019, the Solicitors Regulation Authority revealed that 52% of UK law firms had experienced some type of cyber attack. In fact, another report by PwC, claims cyber attacks on UK law firms have increased more than 60% in the past two years. The same PwC report showed that 100% of the top 100 UK law firms suffered a security incident in 2019 — worse, the study estimated that small or mid-size firms, outside the top ten, were not adequately prepared to respond effectively to a cyber security crisis.
Do you understand the cyber risks you face? Just one cyber attack can result in damage to your legal reputation, loss of client trust, and hefty fines.
Four top cyber risks to your law firm
It’s time to get serious about cyber security awareness and start protecting your firm.
Here are four risks that could lead to cyber attacks, security breaches, and significant damage to your business:
1. Your data
The reality is, the confidential client data and intellectual property behind the walls of your law firm is extremely valuable to cyber criminals and they will launch vicious attacks to get to this data. If they’re successful, the data will be stolen, posted publicly or sold, even held for ransom.
You won’t have time for a best defence strategy as the attackers can lock down your computers, preventing access to the data and applications you need to run your business. This can result in penalties and fines, reputation loss, time and expense for data recovery, and even downtime for your firm. Client retention and acquisition may also suffer.
Can you imagine the reputation damage if your client data was disclosed? A law firm may never recover.
If you are not immediately locked out of your systems, you may not even know the data has been accessed, stolen, or compromised, for months or years. Consider this, in the ABA Legal Technology Survey Report 2019, which included responses from firms of all sizes, 26% of respondents reported that their firm had experienced some type of security breach — while 19% did not know whether or not their firm had experienced a breach.
2. Your staff
A cyber attack can happen in minutes, and could actually be the result of human error within your own firm. That’s right, your staff represents a top security risk.
Each day, your staff could unknowingly put your firm at risk. Employees using weak or obvious, easy-to-hack passwords to access software and systems can enable attackers to crack passwords and gain unauthorized access to your network. Does your team frequently change their passwords? Is multi-factor authentication in place? Using the same passwords again and again, without added layers to properly authenticate and verify users, can also lead to easy hacking.
Email scams that fool staff into clicking on unsafe emails are also on the rise. It’s very easy for an employee to simply click on an email, open an attachment or website link, not knowing it is malicious. Scams like this, called phishing, easily trick recipients into clicking and opening links and files, launching ransomware into systems and networks. In addition to considering digital security, physical security is also important as lost or stolen laptops and other mobile devices, can also introduce risk.
PwC’s report also noted that among more than 40% of the law firms who suffered security incidents, the incident was caused by staff. In fact, incidents caused by staff were among the top three causes of attacks among the top 11-25 and 26-50 ranked firms.
Does your staff understand that their direct actions and security behaviors may put your firm at risk for an attack?
3. Your partners and vendors
Have you thought about the security of the third-party vendors and contractors you work with and rely on for services? If they are not following best security practices and have measures in place to keep their systems secure, this presents an immediate risk to your firm as well.
More than 100 law firms in 14 U.S. states have submitted security breach reports since 2014 — vendor security lapses were among the top reasons attributed. Last October, TrialWorks, a provider of case management software, was called out for potentially delaying a court and client matter after the provider shut off services to combat ransomware. The TrialWorks downtime left lawyers without access to key files and data, leaving some to request court extensions.
Multiple parties may be accessing, sharing, and storing your firm’s confidential data each day, across your network and in the cloud, from computers, mobile devices, and web portals.
If these parties aren’t following best security practices and don’t have protection in place, it may easily enable unauthorized access to your systems and data.
4. Your cloud applications
What about the cloud software that you use? While applications that reside in the cloud provide a lot of convenience for law firms, there is shared responsibility between you and your cloud services provider for maintaining the security. It’s important to be aware of your responsibility and theirs — some providers publish their shared responsibility models online.
A recent study revealed more than half (53%) of all computing workloads are in the cloud — you can imagine the security implications. The study also showed two-thirds of respondents (68%) may have either seen direct, or likely, evidence that their data had been for sale on the dark web. Less than one-third (31%) did not believe their data was at risk.
Security breaches to cloud services have often occurred due to IT misconfigurations on the customer’s side. This could include everything from unmanaged or mismanaged permissions controls, not selecting or turning on the right controls to protect you, insecure data storage elements, or simply not understanding how to use and deploy the services.
In the 2019 Capital One breach, among the largest, a hacker gained access to more than 100 million Capital One customer accounts and credit card applications. The hacker had gained access through a misconfigured web application firewall — a reminder of the importance of strong, properly deployed cloud security.
Daily prevention is key to maintaining client trust
Don’t leave your law firm vulnerable to cyber threats. Protect your confidential client data, intellectual property, and reputation today and gain the peace of mind that comes from a strong cyber defence and a safer business.