Law Firm Cybersecurity

Are Law Firms at a Higher Cybersecurity Risk?

No business is immune to cybersecurity risk. However, some organizations, by their very nature, may be more at-risk than others because of how tempting the data they retain may be to malicious actors of all stripes. Law firms are one example of a type of business that processes and holds extremely sensitive data that would be of interest to others—making them a prime target for cyberattacks.

Protecting your firm’s (and by extension, your clients’) sensitive data from unauthorized access should be a top priority. Why? Because, according to the American Bar Association’s (ABA’s) 2021 Cybersecurity Report, “25% of respondents overall reported this year that their law firms had experienced a data breach at some time.” That’s one in four law firms reporting a breach—which doesn’t even begin to cover how many attempted cyberattacks were either thwarted or went unnoticed.

To better protect your firm from cybersecurity threats, it’s important to know what those threats are and how to deal with them. In this article, we’ll discuss some common law firm cybersecurity risks, why law firms may be at a greater risk of cyberattack, and what your firm can do to minimize its risks.

What Are Cybersecurity Risks?

To borrow a definition from the National Institute of Standards and Technology (NIST), a cybersecurity risk is something that relates “to the loss of confidentiality, integrity, or availability of information, data, or information (or control) systems and reflect the potential adverse impacts to organizational operations (i.e., mission, functions, image, or reputation) and assets, individuals, other organizations, and the Nation.”

To simplify it a bit, a cybersecurity risk is anything that might lead to data or IT system compromise—whether it’s an internal system vulnerability or an external cyber threat.

Why is cybersecurity such a big issue for law firms?

As the ABA notes in Formal Opinion 483, lawyers have an obligation to “use technology competently to safeguard confidential information against unauthorized access or loss” and “employ reasonable efforts to monitor the technology and office resources connected to the internet, external data sources, and external vendors providing services relating to data and the use of data.” In short, lawyers are obligated to not only put protections in place to prevent security breaches, but to monitor for them so the appropriate breach response measures can be taken.

Some examples of common cyber risks that law firms may need to contend with include (but aren’t necessarily limited to):

Data Breaches

A data breach can be loosely defined as any event where an unauthorized entity gains access to an organization’s protected data. When a cyberattack against a law firm succeeds (or an internal user accidentally send the wrong file to the wrong person), there is a significant risk of a data breach occurring.

For law firms, the risk of a data breach can be especially worrisome for a few reasons. First, such breaches can be a severe blow to the firm’s reputation. Trust is one of the most precious intangible resources a firm can have. Having the trust of clients is crucial for maintaining positive attorney-client relationships and drawing in new clients.

However, trust takes a long time to build and, once broken, is extremely difficult to re-build. A single data breach incident can easily shake clients’ trust in their attorney’s legal practice.

Second, the sheer sensitivity of the files lawyers store and manage can make them especially devastating to clients if leaked. For example, if legal documents pertaining to an ongoing case are leaked to the public, the client may face public censure. Additionally, the information held by a law office could be used to commit identity theft or other fraud schemes against the client—which may incur direct damages to the client.

A third reason why data breaches may be especially harmful to law firms is that they can create a risk of malpractice lawsuits. If clients suffer damages because of fraud enabled by a data security breach, they could come after the firm to reclaim their losses as part of a malpractice suit.

Ransomware

Ransomware is a specific type of malware program that is often used to extort money from an affected system’s owner. The malware infects a target’s data storage solution and encrypts all of the data on it—rendering it unusable to the system’s owner and users. The cybercriminal behind the attack will then send a threating message along the lines of “pay up or lose your data forever.”

If the victim pays, the crook promises to provide the encryption key needed to decrypt the data. However, even if the cybercriminal provides the encryption key, the malware typically remains on the infected system—which means they can easily strike again later.

The effects of ransomware can bring a law firm’s operations to a grinding halt, keeping lawyers from readily accessing the data and resources they need to be effective representatives for the firm’s clients.

Phishing

Phishing attacks are a type of “social engineering” attack where scammers send messages to people within an organization in an attempt to trick them into taking some kind of action that benefits the scammer. Common goals of phishing attacks include things like:

• Approving Phony Invoices. The scammer may try to trick recipients into approving a phony invoice—directing money into a bank account that they can then reroute to an overseas bank to keep the money from being reclaimed by the law firm and prevent the money trail from being traced.
• Collecting User Login Information. Some scammers may try to pose as IT staff or vendor personnel and ask your internal users to give them login details so they can “troubleshoot” some problem in the user’s account or network. Once acquired, the scammer may abuse the login credentials to steal information, upload spyware, or take some other malicious action.
• Uploading Malware. A common phishing tactic is to use aggressive or panic-inducing messaging to trick a recipient into downloading malware. For example, a user surfing the web might suddenly get a pop-up message saying something along the lines of “WARNING: Malware Detected—Fix It Now!” However, when the target clicks on the link or downloads the email attachment, they end up downloading a malware program instead of removing one.

Web Application Attacks

Web application attacks target one of the three layers of the web application model (web browser/user interface, dynamic content generation, and the database) wherein users access resources not installed on the device they’re using.

Examples of web application attacks include:

• Structured Query Language (SQL) Injection Attacks. This is when an attacker interrupts the web application query made to the application’s database to capture sensitive data or influence the database’s behavior.
• Cross Site Scripting (XSS) Attacks. Here, an attacker uploads malicious code into a trusted website or application so that they can bypass the source verification protections of anyone visiting that website or using that app.
• Distributed Denial of Service (DDoS) Attacks. For web applications, this is when an attacker attempts to overload the content generation or database with requests so that the web app cannot process legitimate traffic. This prevents the law firm from being able to access those resources until the attack ends.

Other Risks

Aside from the specific cyber threats listed above, there are numerous other risks that law firms may face—such as:

• Unplanned IT Downtime. When IT assets or networks go down without warning, the law firm may find its operations hampered. Unplanned IT downtime can happen for several reasons, such as wear and tear on their IT assets, sudden catastrophic damage, DDoS attacks, or malware.
• Insider Attacks. Insider attacks are when an authorized user of the law firm’s IT infrastructure abuses their access privileges to compromise the firm’s network security. These attacks can be especially difficult to prevent and deal with because the attacker can bypass traditional network perimeter defenses (like firewalls) since they have legitimate access credentials.
• Zero-Day Exploits. These are previously unknown vulnerabilities in IT systems that attackers can leverage to breach a firm’s cybersecurity measures. Because these exploits are unknown, they can be very difficult to prepare for without extensive penetration testing (stress tests of the firm’s IT network designed to uncover potential vulnerabilities).

What Differentiates Cybersecurity Vulnerabilities from Risks and Threats?

A cybersecurity vulnerability is an internal problem for a law firm’s IT infrastructure or processes. This is different from cybersecurity risks and threats, which can be defined as:

• Cybersecurity Risk. This is a measure of how likely a cybersecurity breach of some kind is to happen—and possibly how damaging such an event would be. This is related to cybersecurity vulnerabilities since weaknesses in IT security can increase cybersecurity risks.
• Cybersecurity Threat. This is the term for anything that generates a cybersecurity breach risk—whether it be a specific piece of malware, a hacker, or a malicious internal user. Cybersecurity threats leverage vulnerabilities to breach an organization’s security.

So, while cybersecurity threats and risks are closely related to vulnerabilities, they are very distinct terms and should not be used interchangeably.

The above list presents just a few of the more common cybersecurity vulnerabilities that a law firm might have. There are countless more issues that might arise from specific combinations of software, hardware, and legal IT practices in the firm.

Need help securing your law firm’s IT infrastructure against data breaches while preserving a positive user experience? Reach out to Converged Technology to get started!