The law firm should be the safest place to protect client data. After all, it’s the only place that can assert attorney-client privilege to block the release of confidential information.
But who is protecting the law firm? That’s the 900-pound gorilla in the room.
Law firms are desirable targets for hackers because they have information that hackers want and lower security than many of their corporate clients. A 2015 Citigroup report found that digital security at many law firms lags behind industry standards.
In 2016, Panamanian law and corporate service firm Mossack Fonseca found itself in the center of an international scandal after 11.5 million documents detailing attorney-client and financial information leaked to the public. Mossack Fonseca’s data security was abysmal, with weaknesses ranging from a lack of email encryption to fundamentally insecure network architecture.
In June 2017, international law firm, DLA Piper, had no access to email, phones or other data services for three days and had to publicly announce to its clients that it was a victim of ransomware. They are still assessing whether or not client data was actually breached. But what did it cost them in lost productivity and more importantly their reputation?
While large breaches are more publicized, the American Bar Association found in 2015 that security breaches have increased for law firms of all sizes. Yet most firms see these reports and fail to consider themselves at risk.
Odds are, you will not know that you are being targeted until you have been breached. You will not see your privileged information as it traverses the Dark Web, a cybercriminal back-alley of the internet not accessible via basic internet browsers.
These anonymous cybercriminals lurk in spam emails and prey on unsuspecting users. Their most devastating crimes are often the brokering of information.
A hacker might steal usernames and passwords, using a using myriad mechanisms from direct hacking to viruses and malware, just to show off. But once on the Dark Web, the stolen information can be picked up or purchased by more malicious hackers who steal from or extort victims using the information from the initial hack.
This is the dirty secret of the internet that the media rarely explains when reporting the latest breach at Yahoo or LinkedIn — hackers anticipate that a fair amount of their targets use the same passwords and usernames across accounts. The initial hacker might have no interest in accessing your Yahoo email — instead, he, or the hacker who winds up with the information, figures out where you work and tries to hack your law firm.
Next comes social engineering. The hacker learns enough about you from Facebook or LinkedIn to email you what appears to be a link to information you might want. Click that link and the content creator has complete access to your computer.
Ironically, the U.S. government created the Dark Web for intelligence operatives to anonymously share information, and made the area publicly accessible to make it harder to identify which communications were from government operatives.
Illicit Dark Web activity concerns all, but professional service firms have more to lose than most — the loss of clients, bad press, inability to create new business and the threat of litigation and fines. In recent years, law firms have increasingly been sued over hacks that breached attorneyclient privilege.
The ABA found that about a quarter of U.S. law firms with over 100 lawyers experienced some sort of data breach in 2015. It can happen online, through a break-in, or via a lost or stolen device, and it always comes with a cost.
So, it’s time to change your mindset regarding cybersecurity. Stop being outraged at the neighbor who steals your 50-cent newspaper while chuckling at the spam email flimsily disguised as a UPS delivery notice. Rotate your passwords and ensure that employee usernames and passwords are impossible to guess and dissimilar to credentials for any other sites.
IT and cybersecurity firms monitor the Dark Web for client credentials and conduct employee security awareness training in addition to providing unified security management for preventing, detecting, and responding to cyber threats. Investing in unified cybersecurity management may be the best investment you ever make — something hacking victims have already learned the hard way.