The recent DLA Piper hack has shown that law firms remain vulnerable to damaging data breaches, regardless of size. Cybersecurity experts provide tips on how law firms can avoid becoming the next cautionary tale.
As repositories of sensitive information that corporate clients entrust lawyers with, law firms are a treasure trove for hackers. And smaller law firms, with their leaner IT departments and limited resources, are often regarded as more vulnerable to cyber attacks.
Recent cyber attacks, however, show that this belief is a misconception. DLA Piper, one of the largest firms in the world and a leader in cybersecurity, fell victim to a major cyber attack in June, disrupting phones and email systems, forcing lawyers to work using cellphones.
Last year, hackers broke into the computer networks at several prestigious U.S. firms, including Cravath Swaine & Moore and Weil Gotshal & Manges, according to the Wall Street Journal. In 2016, hackers also stole 11.5 million documents from Mossack Fonseca, a major offshore firm based in Panama, resulting in history’s biggest data leak.
“All law firms and organisations are vulnerable. There is this gross misconception of perceived vulnerability of boutiques and smaller firms because, compared to the larger firms, they’re seen as less secure,” explains Gino Bello, senior director in the technology team at FTI Consulting and a computer forensic expert. “They’re as secure as each other, and as insecure as each other.”
Bello adds that cybersecurity attacks are all automated. “These attacks are programmed to trawl through the internet to find vulnerabilities, which can create a level playing field, whether you’re a big international law firm or a small local firm, both can be affected,” he says.
The scariest part of all this is just how unprepared law firms are. A recent study by cybersecurity consulting firm LogicForce shows the ubiquitous risk of cyber attacks for firms. The survey covered more than 200 law firms across the U.S. with a headcount ranging from one to more than 450 total attorneys, working in a full complement of practice areas. It found that all the respondents had been subjected to hacking attempts, with 40 percent of the firms unaware that they had been attacked. All of the firms were also not compliant with their clients’ policy standards.
The LogicForce study also found that there are over 10,000 network intrusion attempts per network every day. A large percentage of these attempts likely carried out by automated scripts, which do not discriminate based on firm size, and do not target specific businesses, or people.
Law firms can expect more and more cyber attack attempts. As Bello points out, “The volume of hacking and the sophistication of hackers are increasing, and part of that is the increase in the number of devices connected to the Internet, and that it can be lucrative.”
According to John Boles, director of the information security and cyber practice at Navigant, the most common security incidents faced by law firms today are email phishing attacks, which try to gain access to clients’ information.
“Recent attacks like ransomware WannaCry and Petya have shown that hackers and their attacks are expected to only become more disruptive and sophisticated in the future,” he notes.
In this new era of threats, attackers are no longer motivated by financial gains alone, but also by the ability to manipulate the outcome of legal cases and corrupt trust in respected organisations, says Sanjay Aurora, Asia-Pacific managing director of Darktrace, a global machine learning company for cyber defense.
Aurora cites an example where Darktrace discovered an attempt to exfiltrate data from a videoconferencing device within a law firm handling a major M&A case.
Attackers had breached the device inside the law firm’s boardroom, enabling them to listen to the conversations taking place over the course of a week.
It is likely that the attackers were aiming to steal confidential information to disrupt the M&A process, and/or potentially use the stolen information as a foundation for blackmail, shares Aurora. “The attack highlighted how Internet of Things (IoT) devices create network blind spots that legacy security systems are incapable of securing.
IoT attacks are a prime example of new threat trends developing in the legal sector, as law firms continue to digitally transform.”
STAY SAFE, STAY ALERT: A Checklist
Law firms have been somewhat behind other industries for cyber security, but with some planning and a strategic approach, they can be more cyber secure:
John Boles, Navigant
The best way to develop a plan is to start with an audit – an assessment of your current state. To help identify priorities, do a review of your systems, policies and procedure and outline a map of the network and how your data interacts. Risk management is nothing new to law firms – it’s just a new form of risk to be assessed, prioritised and managed. Once the cybersecurity assessment is complete and translated into standard business terms and concepts, it becomes measurably easier to incorporate into the business plan and strategy.
The same cybersecurity assessment can be used to develop a layered defence, protecting the highest priority first. Much of cybersecurity is about doing the basics: Begin with the greatest need and build outward to enhance security and to keep expenses focused on the priorities.
Sanjay Aurora, Darktrace
What tomorrow brings is always going to be different. The WannaCry ransomware attack wreaked havoc globally, prompting security teams worldwide to update their defences. Yet a few weeks later, a slightly different version (Petya/NotPetya) caught many unprepared. The lesson here is that attempting to predict the future proves futile in the face of constantly evolving attacks, and AI will be central to the future of cybersecurity.
To stay ahead in this new cyber arms race, law firms need to adopt an “immune system” approach to cybersecurity. By modelling defence on the human immune system, technologies based on probabilistic mathematics and machine learning can learn a “pattern of life” for every user and device as well as the entire network. From this precise understanding of “self”, AI can detect and defend against cyber-threats at their nascent stages, without the use of rules, signatures, or prior assumptions.
Gino Bello, FTI Consulting
There are simple technology-related measures, such as implementing a strong password policy, using two-factor authentication, encrypted hard drives, a virtual private network, and up-to-date anti-virus software. In addition, law firms need to put a policy in place, both proactively before an attack happens and reactively when indeed it does, and follow it.
Undertake penetration testing and iterative cyber risk reviews so the firm knows where the potential vulnerabilities are, where the critical data is, who can access it, and how they can better protect that data when the worst case scenario happens. Also, consider the information security capabilities of your partners and vendors who may have access to or store your data.
People, at all levels, need to have proactive training and awareness programmes.