Are Law Firms at a Higher Cybersecurity Risk?
No business is immune to cybersecurity risk. However, some organizations, by their very nature, may be more at-risk than others because of how tempting the data they retain may be to malicious actors of all stripes. Law firms are one example of a type of business that processes and holds extremely sensitive data that would be of interest to others—making them a prime target for cyberattacks.
Protecting your firm’s (and by extension, your clients’) sensitive data from unauthorized access should be a top priority. Why? Because, according to the American Bar Association’s (ABA’s) 2021 Cybersecurity Report, “25% of respondents overall reported this year that their law firms had experienced a data breach at some time.” That’s one in four law firms reporting a breach—which doesn’t even begin to cover how many attempted cyberattacks were either thwarted or went unnoticed.
To better protect your firm from cybersecurity threats, it’s important to know what those threats are and how to deal with them. In this article, we’ll discuss some common law firm cybersecurity risks, why law firms may be at a greater risk of cyberattack, and what your firm can do to minimize its risks.
What Are Cybersecurity Risks?
To borrow a definition from the National Institute of Standards and Technology (NIST), a cybersecurity risk is something that relates “to the loss of confidentiality, integrity, or availability of information, data, or information (or control) systems and reflect the potential adverse impacts to organizational operations (i.e., mission, functions, image, or reputation) and assets, individuals, other organizations, and the Nation.”
To simplify it a bit, a cybersecurity risk is anything that might lead to data or IT system compromise—whether it’s an internal system vulnerability or an external cyber threat.
Why is cybersecurity such an issue for law firms?
As the ABA notes in Formal Opinion 483, lawyers have an obligation to “use technology competently to safeguard confidential information against unauthorized access or loss” and “employ reasonable efforts to monitor the technology and office resources connected to the internet, external data sources, and external vendors providing services relating to data and the use of data.” In short, lawyers are obligated to not only put protections in place to prevent security breaches, but to monitor for them so the appropriate breach response measures can be taken.
Some examples of common cyber risks that law firms may need to contend with include (but aren’t necessarily limited to):
A data breach can be loosely defined as any event where an unauthorized entity gains access to an organization’s protected data. When a cyberattack against a law firm succeeds (or an internal user accidentally send the wrong file to the wrong person), there is a significant risk of a data breach occurring.
For law firms, the risk of a data breach can be especially worrisome for a few reasons. First, such breaches can be a severe blow to the firm’s reputation. Trust is one of the most precious intangible resources a firm can have. Having the trust of clients is crucial for maintaining positive attorney-client relationships and drawing in new clients.
However, trust takes a long time to build and, once broken, is extremely difficult to re-build. A single data breach incident can easily shake clients’ trust in their attorney’s legal practice.
Second, the sheer sensitivity of the files lawyers store and manage can make them especially devastating to clients if leaked. For example, if legal documents pertaining to an ongoing case are leaked to the public, the client may face public censure. Additionally, the information held by a law office could be used to commit identity theft or other fraud schemes against the client—which may incur direct damages to the client.
A third reason why data breaches may be especially harmful to law firms is that they can create a risk of malpractice lawsuits. If clients suffer damages because of fraud enabled by a data security breach, they could come after the firm to reclaim their losses as part of a malpractice suit.
Ransomware is a specific type of malware program that is often used to extort money from an affected system’s owner. The malware infects a target’s data storage solution and encrypts all of the data on it—rendering it unusable to the system’s owner and users. The cybercriminal behind the attack will then send a threating message along the lines of “pay up or lose your data forever.”
If the victim pays, the crook promises to provide the encryption key needed to decrypt the data. However, even if the cybercriminal provides the encryption key, the malware typically remains on the infected system—which means they can easily strike again later.
The effects of ransomware can bring a law firm’s operations to a grinding halt, keeping lawyers from readily accessing the data and resources they need to be effective representatives for the firm’s clients.
Phishing attacks are a type of “social engineering” attack where scammers send messages to people within an organization in an attempt to trick them into taking some kind of action that benefits the scammer. Common goals of phishing attacks include things like:
- Approving Phony Invoices. The scammer may try to trick recipients into approving a phony invoice—directing money into a bank account that they can then reroute to an overseas bank to keep the money from being reclaimed by the law firm and prevent the money trail from being traced.
- Collecting User Login Information. Some scammers may try to pose as IT staff or vendor personnel and ask your internal users to give them login details so they can “troubleshoot” some problem in the user’s account or network. Once acquired, the scammer may abuse the login credentials to steal information, upload spyware, or take some other malicious action.
- Uploading Malware. A common phishing tactic is to use aggressive or panic-inducing messaging to trick a recipient into downloading malware. For example, a user surfing the web might suddenly get a pop-up message saying something along the lines of “WARNING: Malware Detected—Fix It Now!” However, when the target clicks on the link or downloads the email attachment, they end up downloading a malware program instead of removing one.
Web Application Attacks
Web application attacks target one of the three layers of the web application model (web browser/user interface, dynamic content generation, and the database) wherein users access resources not installed on the device they’re using.
Examples of web application attacks include:
- Structured Query Language (SQL) Injection Attacks. This is when an attacker interrupts the web application query made to the application’s database to capture sensitive data or influence the database’s behavior.
- Cross Site Scripting (XSS) Attacks. Here, an attacker uploads malicious code into a trusted website or application so that they can bypass the source verification protections of anyone visiting that website or using that app.
- Distributed Denial of Service (DDoS) Attacks. For web applications, this is when an attacker attempts to overload the content generation or database with requests so that the web app cannot process legitimate traffic. This prevents the law firm from being able to access those resources until the attack ends.
Aside from the specific cyber threats listed above, there are numerous other risks that law firms may face—such as:
- Unplanned IT Downtime. When IT assets or networks go down without warning, the law firm may find its operations hampered. Unplanned IT downtime can happen for several reasons, such as wear and tear on their IT assets, sudden catastrophic damage, DDoS attacks, or malware.
- Insider Attacks. Insider attacks are when an authorized user of the law firm’s IT infrastructure abuses their access privileges to compromise the firm’s network security. These attacks can be especially difficult to prevent and deal with because the attacker can bypass traditional network perimeter defenses (like firewalls) since they have legitimate access credentials.
- Zero-Day Exploits. These are previously unknown vulnerabilities in IT systems that attackers can leverage to breach a firm’s cybersecurity measures. Because these exploits are unknown, they can be very difficult to prepare for without extensive penetration testing (stress tests of the firm’s IT network designed to uncover potential vulnerabilities).
Are Law Firms at a Greater Cybersecurity Risk?
In 2021 alone, there were 4,145 publicly-disclosed data breaches that exposed over 22 billion records (Source: Security Magazine).
No business is safe from being a target of a cyberattack—and law firms are no exception. As mentioned previously, fully 25% of law firms reported experiencing a data breach at some point in 2021—but that figure may not reflect the total number of attacks levied against law firms (which includes both the attacks that the targeted firms thwarted and the ones that may have gone undetected). This is lower than the percentage for all American businesses (45% of which have experienced a data breach according to Comparitech).
However, while the rate of reported data breaches is lower than the rate for all business types, there are a few important things to consider before assuming that law firms are safer than other businesses:
- Average Security Levels Vary from Business to Business. A large portion of data breaches affect “small to midsize” businesses (SMBs) that may not have the resources to defend against a determined attacker. According to the Comparitech article, 28% of data breaches affected small business victims (which would be about 1,160 breaches of the 4,145 reported in 2021). This helps to skew the rate of breaches for American businesses upwards.
- The Sensitivity of the Data Law Firms Carry. Law firms can make an especially tempting target for cybercriminals because of how valuable the information they hold can be. Even though the rate of breaches is lower for law firms, the impact of a breach can be especially high since the data leaked could be very harmful (both to the firm and its clients). For example, say XYZ corporation was in a business negotiation to acquire ABC company, but hadn’t publicly announced it yet (only reporting the upcoming deal to the appropriate regulatory bodies) since that could affect the stock price of both organizations and make the deal more costly to complete. However, a hacker breaches the law firm’s security and leaks details about the upcoming merger to news organizations. ABC company’s stock price rises, the acquisition becomes more costly, and the firm is held responsible for the leak.
- The Cost of Regulatory Noncompliance. Law firms have to follow virtually all of the same rules and regulations that normal businesses need to uphold in addition to meeting the ethical and business standards of the legal profession. For example, New York attorneys have to meet the state’s cybersecurity standards for businesses and notification rules set forth in the SHIELD Act while also striving to maintain the IT security standards outlined by the American Bar Association. In addition to potential monetary fines from government organizations (whether municipal, state, or federal), lawyers who fail to uphold cybersecurity standards face potential censure and loss of reputation that may make it harder to attract and retain new clients.
Law firms are not exempt from being targeted by hackers and other malicious actors and stand to lose a great deal if they experience a data breach. So, it’s vital for law firms to apply strong cybersecurity protections to minimize their risk of data compromise.
How to Protect Your Firm and Clients from Cyber Threats
What can a law firm do to manage its cybersecurity risk? There are a few things that law firms can do to minimize the chances of a data breach as well as the impacts of any breaches that occur:
- Implementing a Policy of Least Privilege for Internal Users. Does every summer intern and paralegal need access to all of the firm’s documents? Odds are good that they don’t. A policy of least privilege (granting users access only to the files and systems they need to perform their job duties) is an important first step in reducing the risk and impact of internal attacks. By limiting access, you can limit the scope of the damage done if someone has their user access credentials hijacked (or intentionally misuses them).
- Setting Up an Ongoing Cybersecurity Training Regimen. To ensure that users don’t accidentally compromise the firm’s security, it’s important to provide them with the knowledge and training they need to understand basic cybersecurity rules and concepts—then reinforce those lessons to improve information retention. An ongoing cybersecurity training program helps your firm disseminate important information about cybersecurity and ensure that users don’t forget it by providing periodic updates to reinforce previous lessons.
- Documenting Formal Cybersecurity Policies and Procedures. Documentation is important for any legal practice. Creating a formal document detailing the firm’s cybersecurity policies, the roles and responsibilities of each member of the firm, a list of actions to take in case of a security compromise event, and the consequences of noncompliance is important for maintaining consistently strong cybersecurity architecture.
- Consult with an IT Professional or Cybersecurity Specialist to Address Gaps. There are countless different cybersecurity solutions that a firm can add to improve its cybersecurity—some examples include things like firewalls, multifactor authentication, and security information and event management (SIEM) systems. However, haphazardly adding solutions without a larger strategy may have adverse effects on user experience and even the security of your IT network. Consulting with an IT professional can help you identify specific gaps in your security and the best tools for addressing them.
Need help improving your firm’s cybersecurity? Reach out to Converged Technology Group today to get started! Our legal IT services are built to help law firms get more out of their IT while maintaining a strong cybersecurity posture.