Security breaches have become a routine occurrence, and law firms are not immune to such attacks. Law firms have become an attractive target because access to sensitive data is a business need for them, which in turn makes them more attractive to prospective attackers. Also, most law firms don’t have in-house cybersecurity staff or third-party arrangements to actively defend their enterprises, which limits their ability to respond to cyber events.
COMMON CYBER RISKS
Social engineering attacks, ransomware, and sensitive data leaks are the biggest cybersecurity threats faced by law firms.
Social engineering is a form of deception that attempts to manipulate an individual into divulging confidential or personal information (e.g. passwords or sensitive documents) that can be used for fraudulent purposes. Phishing is the most common form of social engineering attack. Phishing is the practice of sending emails supposedly from trusted individuals or companies in order to manipulate individuals into releasing personal information. For example, a phishing email may be intended to confuse individuals into paying a fraudulent invoice or providing the login/password combination into a site designed to imitate a reputable site.
Ransomware is a malicious program that encrypts critical files on a computer system until a sum of money is paid to the extortionist. Databases and file systems are the most common target in law firms because that is where the information to execute legal cases resides, thus increasing the motivation to pay the ransom.
Sometimes attacks can happen for reasons other than extortion. Nation-states may be interested in getting access to data so they can selectively leak to advance their interests. Or motivated hacktivists may perpetrate cyber attacks so they can leak sensitive information to further social or political ends. Mossack Fonseca, the Panamanian law firm, is a great example of that. Leaks from that firm generated the infamous “Panama Papers” scandal and exposed emails, contracts, banking statements, and sensitive client records totaling 11.5 million documents and 2.6 terabytes of data.
MANAGING THE RISKS
Managing and staying ahead of these attacks requires vigilance, planning, and strategic thinking. Fortunately, staying on top of basics can substantially reduce the chance of a successful attack.
AN AFFORDABLE PLAN IS OUTLINED BELOW:
Implement email protection technology: There are many technology solutions that can proactively identify and flag spam and phishing emails. These technologies have matured significantly and do a great job of weeding out most such attacks.
Continuous patching: Most attackers will take the path of least resistance. This often means taking advantage of well-known security vulnerabilities. The good news is that most software vendors regularly release patches that remove security vulnerabilities. Law firms should get in the habit of regularly deploying these patches, perhaps by designating a day of the week that is meant for security patches and religiously adhering to that schedule.
Multi-factor authentication: Law firms should enable multi-factor authentication for all systems deemed critical, including entry to all firm laptops. Multi-factor means having at least two of the following attributes to gain entry: something you know (e.g. a password); something you have (e.g. a phone that can be used to receive a token); or something you are (e.g. biometrics for fingerprint recognition). This is an extremely effective technique to prevent an attack because even if attackers acquire the username/password combination, they cannot enter because they don’t have the second factor.
Ongoing security awareness training and social engineering testing: This is to reduce the risk of gullible employees falling for phishing and social engineering attempts. Ongoing security awareness training keeps increasing their cybersecurity baseline, and ongoing social engineering testing (e.g. simulated phishing attacks) lets you know who your most vulnerable employees are.
Lock storage devices on USB ports: Infected USB drives are one way to spread ransomware or malware. Locking USB drives to disable all storage devices makes a tremendous difference. An alternative to USB storage drives may be cloud storage sites, which tend to be more secure because they provide built-in multi-factor and the software on these sites is typically well-tested, well-protected, and continuously upgraded for security.
Cybersecurity insurance: This insurance is designed to provide protection before, during, and after an attack. Many large insurers have started to offer this insurance. On the preventive side, this insurance provides many valuable resources such as security training and some basic technologies. Forensic and response services are provided during the incident. And notification, communication, and legal expertise are provided after the breach.
Cybersecurity threats are real threats for law firms. Thinking proactively and putting these basic controls in place substantially reduces the risk and enhances the cybersecurity posture of the law firms. Dr. Anand Singh