Cybersecurity break-ins are more often than not preceded by phishing, especially spear phishing attacks. Lately, law firms have become favorite targets. There are compelling reasons for this situation. Brian Levine, of the Department of Justice Computer Crime and Intellectual Property Section, stated that law firms are perceived as less security-hardened than other industries. So cybercriminals see law firms as a backdoor into their clients’ data. What kind of data?
Law firms act as warehouses of client and employee data, and are therefore not immune to cyber-attacks. In many ways law firms are the perfect targets. Most law firms possess vast amounts of personally identifiable information whether that of their clients, employees, or parties and witnesses in litigation. Information about pending corporate deals and legal matters, trade secrets, private information about corporate officers, you name it. This data is irresistibly attractive to cybercriminal mobs all over the world.
Law firms more susceptible to phishing attacks.
Is it true that cybersecurity at law firms is more lax? Here is an example. Until recently, most law firm employees routinely accessed personal email at work on the company PC. This practice has long been prohibited in the overwhelming majority of financial firms. According to Keith Lee, a columnist for http://abovethelaw.com, lawyers are not as tech-savvy as their financial and manufacturing sector clients. This may make law firms more susceptible to phishing attacks.
Security, and specifically phishing, have become a big topic in the legal community. In March 2016, the American Journal of Trial Advocacy held a symposium entitled ”Practicing Law in the Age of Surveillance and Hackers: An Exploration of Privacy and Data Security”. The recent ABA TECHSHOW conference hosted a panel called “Security Awareness and Phishing”.
- In March 2016, 13 of the 15 most prestigious law firms were targeted by “Oleras”, a cybercriminal gang based in the Ukraine. The gang planned a spear phishing campaign to gather information that could be leveraged for insider trading.
- In May 2016, Florida State Bar members were the victims of phishing leading to ransomware. The bogus email’s subject was “Florida Bar Association Past Due Invoice”. Then Nevada lawyers received phishing emails referencing unpaid dues or notification of discipline complaint. Bar members in California, Georgia, and Alabama were also targeted according to the ABA Journal.
And scammers pose as law firms
Phishers have sullied the reputation of more than a few law firms. In August 2016, the firm Sidley Austin was the purported sender of a phishing email advising the recipient of an inheritance. In 2015, phishing emails claiming to come from the firm Baker & McKenzie asserted that the recipients were involved in debt collection cases. Similar phishing emails have claimed that recipients were required to appear in court.
Protect your business and your reputation
Ethically, law firms should make best efforts to protect client data. Furthermore, there are multiple ABA model rules stipulating the protection of client data and, by extension, IT infrastructures. There has been a rise in advisory opinions to this effect from ethics boards in California, Washington, and Arizona, among others. Some experts believe that the time is coming that improperly securing IT systems could be construed as malpractice.
Some of the top law firms are joining the Financial Services Information Sharing and Analysis Center, an information-sharing group for cyberthreats.
Measures to preclude phishing attacks
Phishing will continue as long as it is profitable for the attackers. However, there are measures that you can take.
- First, a key step is to change user behavior when confronted with a phishing email. The obvious advice is not to click on strange links in email. But phishing emails are becoming increasingly convincing. According to Verizon’s breach report, 30 percent of people fall for phishing emails.
- User training on phishing and social engineering in general would be helpful in reducing the number of phishing emails that lead to cyberattacks. In this regard, there are a number of ready-made websites offering phishing training. Just google “phishing training” for a list.
- Why not reward your employees for a "Catch of the Day"? Have them forward “phishy” emails to a central contact. Each week award a prize to the winner and then publicize the attempt to remind employees to keep vigilant.
- Be cautious when posting information about employee activities on your web site or social media. Phishers can comb these sites for information to make their emails appear more real.
Nine steps to prevent a security breach
Although attackers constantly change tactics, it is impossible to prevent these attacks. There are several measures that can be taken to reduce risk including having up to date anti-virus software, web filters and a firewall. A layered approach is key and should include the following steps to help prevent a security breach.
- Conduct a risk assessment, which often can be aided by the services of knowledgeable, objective, independent IT vendors.
- Use appropriate encryption technology on servers, desktops, laptops and all mobile devices.
- Limit access to computer systems, email and directories only to known and trusted users, and implement and follow appropriate password policies.
- Develop and follow a data retention and destruction policy, so that personal data is not at risk. Law firms should carefully analyze where data is kept, and limit the number of places where data is retained.
- Keep anti-spam and anti-virus security software up-to-date, regularly applying recommended patches.
- The firms security arsenal should include a secure email gateway, advanced spam filters, multiple anti-virus engines, anti-phishing protection and advanced threat protection
- Educate employees about the protection of sensitive data and use and protection of passwords.
- Implement and follow a written Internet usage policy to explain how Internet access and usage should be conducted on firm computers, and specifically, the limits on such usage.
- Finally, develop a comprehensive breach preparedness plan, to enable decisive action and avoid operational paralysis when a data breach occurs.
With careful thought and planning, law firms can significantly lower their exposure to a phishing attack and potential data breach. Failure to do so will result in direct financial loss and severe reputational damage.
Are you an IT professional at a law firm, that wants to ensure sensitive customer and staff data and devices are protected? Talk to a security specialist or Email us at firstname.lastname@example.org with any questions.