Cyber Threats and Cyber Defence in the Legal Sector
Since the start of the COVID-19 pandemic, remote work and distancing measures have led law firms to accelerate digitalization in their legal practices. With a surge in digital footprints created by the legal sector, hackers are increasingly preying on unsuspecting law firms. This is evident in American Bar Association’s 2020 Legal Technology Survey Report, where the number of firms that experienced a cyber-attack increased from 26 per cent in 2019, to 29 per cent in 2020.
Why Are Law Firms Targeted by Hackers?
Vast Amounts of Valuable Documents
Lawyers have access to confidential client information, based on their attorney-client privilege. The vast information shared includes invaluable documents such as trade secrets, business strategies and intellectual property, which are viewed as high value targets for hackers.
Lack of Cyber Security Measures
The fast-paced working environment requires law firms to channel most of their resources towards meeting their clients’ needs efficiently. Thus, the need for proper cyber security systems is often not prioritized, and minimal resources are dedicated to cyber security, leading to compromised IT networks.
Recent High Profile Cyber Attacks in the Legal Sphere
In May 2020, Grubman Shire Meiselas & Sacks, a law firm, faced a ransomware attack that demanded USD$42 million. Sensitive data belonging to A list celebrities and prominent figures such as Lady Gaga and Donald Trump were leaked. These leaked files included contracts, telephone numbers and non-disclosure agreements amongst other confidential details.
Recently, in February 2021, Campbell Conroy & O’Neil, P.C, another large law firm with established corporate clients such as Ford, Boeing and Coca-Cola, was also hit with a ransomware attack. Sensitive information including names, financial account information, social security numbers, and payment card information were stolen from their network.
Common Types of Cyber Attacks Carried Out on Law Firms
Cyber attacks come in many forms as hackers would often diversify their methods to target organisations. The various types of cyber attacks include phishing attacks, data breaches, ransomware, supply chain compromise, distributed denial-of service (DDoS) attacks, SQL injection attacks and other sophisticated attacks. In view of the vulnerability of law firms, phishing attacks, ransomware attacks and supply chain compromise are popular attacks carried out by hackers to financially exploit law firms alongside other ulterior motives.
1) Phishing Attacks
Phishing attacks normally involve impersonation and identity theft e-mails to trick lawyers into giving confidential information. These e-mails can represent urgent requests or instructions from authority personnel. With the appropriate tone and content, recipients are likely to respond to them due to the implied level of trust and the tendency to comply with authority out of fear at times. Phishing attacks are highly successful as law firms have lost over USD 790,000 in 2019 as reported by Solicitors Regulation Authority (SRA).
Ransomware is a malware that restricts access to a law firm’s computer and data systems until the ransom is paid. Payments may be demanded in the form of cryptocurrencies like Bitcoin to avoid tracing and firms are not guaranteed full recovery of their data upon payment. To impose pressure on firms, two-pronged ransomware attacks are often carried out whereby the data is being held and threatened to be leaked. Ransomware attacks are prevalent with one in three law firms being targeted based on Capterra’s 2021 Legal Management Survey.
Source: Trend Micro
3) Supply Chain Compromise
A law firm’s supply chain mainly utilises third-party data stores and software providers to facilitate online legal services. Hackers would target the lack of security measures in third party suppliers that deal with commercially sensitive data like client information. Subsequently, when financial transactions are planned to take place through these third-party vendors, hackers would intercept the transactions when money is about to be transferred.
The Damage of Cyber Attacks on Law Firms
Cyber attacks are detrimental to organisations because they are often accompanied by a slew of irreversible negative repercussions. Common repercussions would include financial losses, productivity losses, reputation damage, legal liabilities and business continuity problems. In the legal industry, reputation damage, financial losses and business continuity problems are more prominent issues faced by law firms, in the aftermath of a cyber attack.
1) Reputation Loss
Law firms rely largely on word of mouth, prestige, and reputation to gain the trust of clients. When there is a loss of personal and confidential information caused by cyber attacks, the trust and relationships forged with existing and potential clients would be destroyed. Clients and partners that have entrusted law firms with their business and data would be infuriated and attempts to persuade them to return or stay would likely be an insurmountable task, due to a tarnished image and reputation.
2) Financial Loss
Cyber attacks or data breaches would incur hefty financial costs attributed to different areas:
- Cost of recovery: Engaging IT personnel and external contractors to conduct in-depth recovery operations includes costly additional man-hours.
- Cost of lost productivity: Downtime from cyber attacks leads to measurable financial losses such as the loss of billable hours and other value-added activities.
- Legal and PR costs: Legal and PR efforts are required to account to shareholders and prepare for legal or regulatory lawsuits.
3) Business Continuity Problems
The extensive impact from not being to conduct business with clients and the steep costs accumulated can threaten a firm’s business continuity. This is especially alarming for firms that rely heavily on online applications or platforms to conduct legal services and connect with their clients. A cyber attack alone would disrupt and halt such activities, which can be enough to put these firms out of business.
Cyber Security Measures in the Legal Sphere
Referencing section 24 of the Personal Data Protection Act, organisations are required to protect personal data in their possession, through implementing reasonable security arrangements to prevent unauthorised malicious acts and data losses. Hence, law firms and lawyers can consider adopting the following cyber security measures to protect their clients’ data from hackers.
How Lawyers Can Play Their Part
- Ensure that passwords and login credentials to client information are complex and changed routinely.
- Restrict access to clients’ data by only allowing relevant personnel to access them for a specific job function, to prevent mismanagement of data that has costly ramifications.
- Avoid using public Wi-Fi without a virtual private network (VPN) when sharing data, as hackers can access these data from the exposed IP addresses of devices upon connecting to open networks.
- Backup data regularly by following the 3-2-1 backup rule. Three copies of the data should be stored on two different types of media such as a local and external hard drive, and store one copy in an off-site location such as a cloud storage. This reduces the impact of a single point of failure caused by cyber-attacks.
Recommended Cyber Security Measures for Law firms
1. Enhance existing cyber defence measures with proactive cyber defence solutions
Proactive cyber defence solutions prevent threats with automated threat detection and mitigation before they enter a firm’s network on a 24/7 basis.
Since clean-up operations from attacks are carried out outside of the firm’s network, business will be as usual for law firms due to the absence of downtime for recovery.
Firms without internal IT teams can consider engaging professional IT providers to deploy the sophisticated proactive cyber defence solutions. This transition from traditional reactive to proactive cyber defence measures will ultimately allow firms to save time, manpower, and costs on monitoring, detecting, and responding to cyber threats.
2. Deploy plug-and-play scalable solutions that cater to firms of all sizes
Plug-and-play scalable solutions provide cost-savings and convenience to firms looking to protect their business. Such solutions are easy to install, and they do not require firms to make any changes to their existing IT infrastructure networks while they upgrade their cyber security measures at any point, including the business expansion stage.
These flexible and affordable cyber defence solutions are readily available in the market. Firms can in turn select the appropriate cyber defence solutions in accordance with their needs and requirements.
3. Employ the use of automatic update cyber defence solutions
With hackers continuously coming up with new ways to infiltrate systems, it is an uphill task for law firms to juggle between serving their clients and ensuring that their existing cyber security measures are effective in dealing with the complex nature of modern cyber threats.
As such, law firms can seek out external cyber defence solutions providers with expertise in developing up-to-date solutions that incorporate the best industry practices and latest cyber security technologies. To evaluate the credibility and effectiveness of these solutions offered, firms can look at solutions that are constantly updated automatically, based off intel provided from a myriad of globally recognised cyber security sources. Law firms should also consider solutions that are certified with internationally recognised cyber security certifications.
The heightened threat of cyber attacks in today’s cyber security landscape makes it crucial for lawyers and law firms to implement proper and effective cyber security measures that function as the first and last line of cyber defence. With the provision of comprehensive state-of-the-art cyber defense solutions offered by external IT vendors, and a uniformed effort by lawyers to adopt good cyber security habits, it collectively prepares the legal industry to better defend against the ever-imminent threat of cyber attacks.