Cybersecurity break-ins are more often than not preceded by phishing, especially spear phishing attacks. Lately, law firms have become favorite targets. There are compelling reasons for this situation. Brian Levine, of the Department of Justice Computer Crime and Intellectual Property Section, stated that law firms are perceived as less security-hardened than other industries. So cybercriminals see law firms as a backdoor into their clients’ data. What kind of data?
Law firms act as warehouses of client and employee data, and are therefore not immune to cyber-attacks. In many ways law firms are the perfect targets. Most law firms possess vast amounts of personally identifiable information whether that of their clients, employees, or parties and witnesses in litigation. Information about pending corporate deals and legal matters, trade secrets, private information about corporate officers, you name it. This data is irresistibly attractive to cybercriminal mobs all over the world.
Is it true that cybersecurity at law firms is more lax? Here is an example. Until recently, most law firm employees routinely accessed personal email at work on the company PC. This practice has long been prohibited in the overwhelming majority of financial firms. According to Keith Lee, a columnist for http://abovethelaw.com, lawyers are not as tech-savvy as their financial and manufacturing sector clients. This may make law firms more susceptible to phishing attacks.
Security, and specifically phishing, have become a big topic in the legal community. In March 2016, the American Journal of Trial Advocacy held a symposium entitled ”Practicing Law in the Age of Surveillance and Hackers: An Exploration of Privacy and Data Security”. The recent ABA TECHSHOW conference hosted a panel called “Security Awareness and Phishing”.
Phishers have sullied the reputation of more than a few law firms. In August 2016, the firm Sidley Austin was the purported sender of a phishing email advising the recipient of an inheritance. In 2015, phishing emails claiming to come from the firm Baker & McKenzie asserted that the recipients were involved in debt collection cases. Similar phishing emails have claimed that recipients were required to appear in court.
Ethically, law firms should make best efforts to protect client data. Furthermore, there are multiple ABA model rules stipulating the protection of client data and, by extension, IT infrastructures. There has been a rise in advisory opinions to this effect from ethics boards in California, Washington, and Arizona, among others. Some experts believe that the time is coming that improperly securing IT systems could be construed as malpractice.
Some of the top law firms are joining the Financial Services Information Sharing and Analysis Center, an information-sharing group for cyberthreats.
Phishing will continue as long as it is profitable for the attackers. However, there are measures that you can take.
Although attackers constantly change tactics, it is impossible to prevent these attacks. There are several measures that can be taken to reduce risk including having up to date anti-virus software, web filters and a firewall. A layered approach is key and should include the following steps to help prevent a security breach.
With careful thought and planning, law firms can significantly lower their exposure to a phishing attack and potential data breach. Failure to do so will result in direct financial loss and severe reputational damage.
Are you an IT professional at a law firm, that wants to ensure sensitive customer and staff data and devices are protected? Talk to a security specialist or Email us at firstname.lastname@example.org with any questions.
Sign-up for email updates...