Legal Profession: The New Frontier For Cyberattacks

Law Firms Are Now Cyberattack Targets

Retail. Finance. Healthcare. Hospitality. Government. Transportation. You name the industry, it’s likely experienced the ills of data theft. Yet one sector that’s remained relatively unaffected by sensitive information hackers is that of private law.

At least, that was the case, until recently. A newly released study from the American Bar Association suggests firms of all sizes are in computer criminals’ crosshairs like never before.

“Nearly 25% of attorneys acknowledge their offices have been affected by a breach.”

Roughly 1 in 4 attorneys in ABA’s 2018 TechReport acknowledge that their offices have been affected by a breach at one point or another. That’s a considerable uptick from as recently as five years ago, when the rate was in the teens. Of those who attest to being victimized, firms with between 50-99 employees on staff were affected the most at 42%, followed by firms employing 100 or more at approximately 31%.

Rich Santalesa, a cybersecurity expert and counsel for the New York City-based law firm Borstein Legal Group, told the ABA Journal that no industry is entirely immune, but one thing that lawyers and attorneys have going for them is hindsight. Because the frequency of attacks on firms have risen only recently and remain fairly low relative to sectors like retail and healthcare, they can glean insight from others’ miscalculations.

“Law firms as a whole can learn a lot about cybersecurity by looking at other industries,” Santalesa explained. “Unfortunately, other industries have had to learn their lessons the hard way – by having breaches that have received media attention.”

At the same time, though, law firms haven’t entirely escaped the fourth estate’s observations. Indeed, as chronicled by the National Law Review, a Washington-based lawyer noted in February 2018 that attempted cyberattacks were a daily frustration at his firm, up 500% during the previous 24 months. In June 2017, multinational law firm DLA Piper was one of several other organizations whose networks were hijacked by ransomware, forcing the shutdown of the company’s IT systems for days in several of the 40 countries where DLA Piper has offices). And in April of last year, a specialist law firm’s computer networks were breached, which wound up exposing the personal commercial insurance policy data of over 1,500 companies in the U.S.

“North of 446 million records were exposed in 2018 and 1.68 billion email-related credentials.”

Ways Law Practice Data Can Be Breached

Part of the problem – both for law firms as well as virtually all other businesses that aggregate data – is the variety of means by which identifying material can be purloined. As previously referenced in this space, ransomware is increasingly common and phishing – which utilizes bait-and-switch emails to bamboozle targets – has never gone away since this means of communication debuted. According to the Identity Theft Resource Center, north of 446 million records were exposed in 2018, along with 1.68 billion email-related credentials.

“When it comes to cyber hygiene, email continues to be the Achilles Heel for the average consumer,” warned Adam Levin, founder and chair of CyberScout, a Scottsdale, Arizona-based data security services firm.

Left alone or quickly deleted, phishing emails are benign. But because they look so authentic and are designed to mimic the typeface, tone and design of legitimate companies, approximately 33% of them are eventually opened, according to a 2017 data breach report from Verizon.

Adopt A Security Culture

How can law firms immunize themselves from data disaster? It’s virtually impossible to avoid cyberattacks completely, but it starts by doing what so many other companies have failed to do, which is adopting a culture of security, Verizon Communications CSO Michael Mason. Speaking to ABA Journal, Mason said firms should approach protecting their data like they would vetting a babysitter.

“When you hire a babysitter for your child, what sort of background check do you use? Hopefully, something so precious is not put into the hands of strangers without a background check,” warned Mason. “Your firm’s data is also precious.”

He further advised that law firms often assume a “one-and-done” approach toward data security, obtaining a professional risk assessment a single time and assuming that it alone should suffice. These must be conducted consistently over time to remain above the fray, ideally once a year.

Take your network security a step further by moving to the cloud for enhanced data protection and true mobility.  The Afinety Cloud Platform (ACP) is designed specifically for law firms by law firm experts and runs on the largest, most mature cloud provider in the world, Amazon Web Services.  AWS data centers and network architecture are built to meet the requirements of the most security-sensitive organizations and designed to keep data safe.  This includes built-in, state-of-the-art network firewalls, automated encryption for data in transit and at rest, plus continuous infrastructure testing with summarized results.   This allows you to maintain the highest standard of security without the cost of having to manage your own network or facility. Other options, such as Multifactor Authentication, will enhance your network security even further to guard against cyberthreats or lost data.

Click here to learn more about moving your network, including all data and applications, to the cloud.