Why Law Firms Can’t Afford to Treat Cybersecurity as an Afterthought

Posted by Trevagh Stankard on Tue, Jun 28th, 2022

Law firms are data-rich organizations that attract cybercriminals like bees around a honeypot. The recent cyber-attack on the law firm McCarter & English demonstrates this. The cyber-attack caused sensitive data exposure and meant the firm lost access to email backups and email inboxes, causing the firm to turn to an emergency temporary email platform. Cyber-attacks on law firms are highly disruptive and lead to loss of client trust, fines, and financial losses. As a result, law firms are a target for cybercriminals, and like all other industries, the sector can no longer treat cybersecurity as an afterthought. Here are the reasons why.

Cyber-attacks Against Law Firms

The American Bar Association (ABA) conducted a 2021 survey on technology use and cybersecurity in the sector. The survey found that 29% of law firms had experienced a cyber-attack. Cybercriminals focus on the sensitive and valuable data that law firms preside over. The mechanism of attack often begins with credential theft. Once credentials are stolen, often by spear-phishing, cybercriminals can access law firm IT systems. Once cybercriminals breach these systems, hackers can install malicious software such as ransomware or exploit databases full of sensitive and confidential files.

Three Recent Examples of Cyber-attacks on Law Firms

Stevens & Lee: a breach notice from the firm points out that personal customer data was exposed during unauthorized access of firm files. The firm says the attack was “part of a sophisticated cyber-attack against our firm.”

​​New York City’s Law Department:  this cyber-attack used stolen employee credentials to infiltrate the firm's network, with at least three databases accessed by attackers. The law department had to shut down its IT network to contain the attack. The result was delays in handling court cases and general mayhem.

Jones Day: a breach of the file transfer service Accellion was the cause of this supply chain attack on Jones Day law firm. The firm described the attack as ‘sophisticated’. Confidential documents, said to be from the Jones Day firm, were posted to a site associated with CLOP ransomware.

Impact of Cyber-attacks on Law Firms

The ABA survey notes that of the 29% of law firms infected with a virus, spyware, or malware, 36% experienced downtime. In addition, 31% had to pay IT consultants to repair the damage, and 25% of respondents had to make a breach notification to the authorities and customers.

Law firms that suffer a cyber-attack are at risk of non-compliance fines too. For example, Tuckers Solicitors, a UK law firm, was infected by ransomware that encrypted over 972,000 files, including almost 25,000 related to court bundles. As well as the cyber-mayhem that ensued, the UK's Information Commissioner's Office fined Tuckers £98,000 ($120,000). The ICO commented that the fine was for "failure to implement appropriate technical and organizational measures."

How Law Firms can Prevent a Cyber-attack

Law firms must take appropriate measures to prevent cyber-attacks from exposing data, installing ransomware, and causing IT failure. Here are five suggested measures that any size law firm can put in place to ensure the safety of their IT systems and sensitive data:

1. Use security awareness training: security awareness training and phishing simulations help to prevent phishing attacks by ensuring that employees can spot a malicious email. Security awareness also covers things like password hygiene and sharing of passwords to avoid accidental insider data exposure. The ABA survey concludes, "Training should be mandatory and often, to ensure that the tools are being properly and adequately utilized. Employing the highest level of security is requisite."
2. Patch IT systems and applications regularly: cybercriminals exploit vulnerabilities in software and firmware. Help prevent the installation of malware (including ransomware) by keeping applications and IT components up to date with security and other patches. This can often be done remotely and automated to ensure it happens quickly and effectively.

1. Use multifactor authentication (MFA): a useful layer against phishing is to use MFA. However, cybercriminals are finding ways to exploit even this security layer. Use MFA wherever possible, but back this up with security awareness training and the next measure on the list - spam filters.
2. Use an advanced spam filter: phishing is behind 90% of data breaches. Spam filters help to prevent phishing emails from entering employee inboxes. Advanced spam filters use machine learning and are effective against emerging phishing threats. 
3. Use a secure email archive system: it is vital that law firms keep up and running during a security crisis. An email archive system ensures that emails and attachments are encrypted during transfer and storage to ensure security. In addition, access to the stored data is enforced using the principles of least privilege and applies this using robust authentication. A cloud-based email archiving system ensures that eDiscovery of emails is provided.

Law firms can no longer treat cybersecurity as an afterthought. Fortunately, the largest through to the smallest law firm can prevent these cyber-attacks by employing cloud-based solutions or a by using a managed service provider (MSP) specializing in the deployment and maintenance of cybersecurity measures. Add to this a layer of security awareness training, and a law firm can ensure that they are doing their utmost to prevent sensitive data from exposure and keep their law firm up and running.