This year has seen an escalating series of high-profile ransom-ware attacks impacting businesses in a variety of sectors. After this most recent revelation, however, it would behoove law firms, specifically, to be on high alert for emerging cyber threats.
In a July 2021 disclosure on its website, major national firm Campbell Conroy & O’Neil alerted its clients to a ransomware attack that took place on its systems in February 2021. Having detected unusual activity on their network, the firm brought in third-party forensic investigators to determine the scope of the problem while also alerting the FBI to the situation.
While the investigation hasn’t yet determined exactly what information the hackers accessed, the firm announced that information present in the system included a wealth of personal information: names, dates of birth, driver’s license numbers, Social Security numbers, passport numbers, financial information, medical information, online account credentials, biometric data, and more.
Campbell Conroy & O’Neil’s client list is a who’s who of Fortune 500 companies including Ford, Walgreen’s, Johnson & Johnson, Monsanto, FedEx, Boeing, Quest Diagnostics, Exxon Mobil, and Liberty Mutual. According to the firm’s disclosure, they will be reviewing their existing security policies and procedures, while also offering two years of free access to credit monitoring, fraud consultation, and identity theft restoration services to individuals impacted.
While that’s a considerate notion, the truth of the matter is that the damage has already been done, and it will take more time before the extent of the breach’s impact is fully known.
WHY LAW FIRMS ARE AT HIGHER RISK
Any company can be the target of a ransomware attack—when hackers bring operations to a halt by encrypting files and data, businesses without a backup plan in place may well end up paying the ransom to regain access to critical information.
Law firms, however, are at an increased risk of becoming a target of a cyberattack, due to the very nature of the job.
Because the information on their systems is so sensitive, it is highly valuable to hackers as a commodity as opposed to simply being a bargaining chip for a ransom. Further, law firms are required to keep their clients’ information confidential as a matter of professional ethics. Firms that are negligent in their cybersecurity protocol could expose themselves to legal liability if that negligence results in public exposure of clients’ sensitive information.
Consider the types of information law firms routinely collect in the course of their work; it includes personal information, in addition to confidential corporate information such as tax returns or trade secrets. If just the idea of your clients’ information being seized AND released makes you break into a cold sweat? Then you already understand why law firms make attractive targets for hackers.
And this isn’t just a theoretical scenario.
In May 2020, hackers stole 756 gigabytes of data from Grubman Shire Meiselas & Sacks, then released 2.4 gigabytes of the stolen information on the dark web when their ransom demands weren’t immediately met. To fully meet the expectation that they’ll keep their clients’ information truly confidential, law firms need to prevent these types of data breaches in the first place.
IMPROVE SECURITY BEFORE IT’S TOO LATE
The good news is that law firms possess the ability to protect them-selves; the bad news is that most are failing to do so.
An October 2020 report from the American Bar Association indicated that 29% of law firms experienced a cybersecurity breach of some kind in 2020, while fewer than half of them used advanced security tools such as file encryption or two-factor authentication. The increase in remote work during the pandemic also exposed law firms’ networks to new security vulnerabilities. Firms that don’t act now to improve their security risk being caught in the growing wave of new ransomware attacks.
The strength of your cybersecurity protections should reflect the value of the information you have to protect—and the seriousness of the consequences if you don’t succeed. The best plans include a combination of technological safeguards, employee education on best security practices, and continual vigilance regarding potential new vulnerabilities. A cybersecurity firm like ours can analyze your weaknesses and help you align your personnel, your procedures, and your technology to present the best possible defense against a cyberattack. Investing in prevention just may save you a world of regret.