Cybercrime has increased substantially in recent years, harming businesses and key services in unfathomable quantities. Breaches in cyber security cost billions of pounds and are responsible for 50% of all crimes in the UK. Attacks carried out by cybercriminals for personal gain have become increasingly complex, with threats coming from both domestic and foreign criminal organisations.
Just last year, it was revealed that a third party that gave the international law firm Jones Day file transfer software had been hacked, leading to the theft of 100 terabytes of data, some of which turned up on the black web.
According to research, the top 200 law firms in the UK have “major unresolved cyber risks,” meaning 81% of them may have been endangered to at least one notable vulnerability. Even worse, the rapid digital transition that followed the pandemic has made the lack of information security and potential cyberattacks increase. As businesses go digital, cyber crime does too.
Why are law firms so vulnerable to cyber attacks?
It is clear that the legal industry is susceptible to cyber-attacks because lawyers regularly handle a lot of sensitive data from multiple parties. Most law companies are managed by lawyers who have little to no experience with cybersecurity or even security best practices as a starting point. Even if a more complex management structure is in place, the attorney retains sole discretion over cybersecurity-related matters. These are lawyers without the necessary cybersecurity knowledge, who lack the extra time to review how to create a strong security posture from scratch. So, it should come as no surprise that legal companies experience hacking given these circumstances.
Due to the possibility for financial advantage, law firms that specialise in corporate or property law are particularly sensitive. Smaller law firms are also seen as easy prey as well. A recent hack to make headlines demonstrates why a law firm is a desirable target for threat actors. This hack occurred following a ransomware assault in February 2021, Campbell Conroy & O’Neil, a US legal firm that “counsels dozens of Fortune 500 and Global 500 corporations,” announced a data breach. The names, dates of birth, Social Security numbers, passport numbers, payment card numbers, medical information, health insurance information, biometric data, and/or online account credentials (i.e. usernames and passwords) of some individuals were accessible to attackers.
Additionally, law firms have access to personnel data from their corporate clients, including financial and medical information as well as other details that hackers may find beneficial. Numerous legal safeguards, such as HIPAA and a plethora of state privacy and consumer protection laws, are in place to protect this information. With this knowledge, a business rival could outmanoeuvre a rival, or a hacker could extort a person halfway around the world. Hackers view lawyers as a back door to their corporate clients’ important data.
To paint the picture let’s take a look at some of the most significant breaches on record
According to a 2020 American Bar Association report, legal firms reported security breaches in 29% of cases, and malware infections in 36% of cases. Only 43% of respondents use file encryption, 39% use email encryption, and 26% use whole/full disc encryption.
The first serious attack on a law practice that began to raise concerns about what might be next was the DLA Piper malware attack in 2017 where they experienced a ransomware assault that first hit its Ukrainian operations while its payroll software was being upgraded with a malware known as NotPetya. The company claimed that the malware spread so swiftly because of its “flat network structure.” Following that, there was a continual stream of attacks, with the tactics and cybercriminals both rapidly developing. If you still hold the belief that “my company won’t be affected; only Fortune 500 businesses are at risk,” you are gravely mistaken.
Consider security incidents in a number of renowned law firms, including the likes of Grubman Shire Meiselas & Sacks where in May 2020, a ransomware attack by the cybercriminal outfit REvil exposed the famous law firm Grubman Shire Meiselas & Sacks. Users are prevented from accessing particular files or systems by this kind of harmful software (malware) until the cybercriminal pays money. During this attack, REvil grabbed 756 terabytes of private customer data, leaking Lady Gaga’s files as evidence and selling Usher’s and Bruce Springsteen’s legal papers at auction on the dark web. Another significant breach to note is Fragomen, Del Rey, Bernsen & Loewy announced that it had had a data breach in September 2020. The law company had a close relationship with Google, and both present and past Google employees’ personal information was compromised.
Some of the methods used to attack Law Firms
The fundamental steps for breaking into an organisation are rather straightforward. The hacker first chooses between using social engineering or “bad code” to infiltrate systems and networks, such as a virus, Trojan, or malware. After that, they decide who to attack.
Malware, a semi-automated method of information access, makes up the majority of harmful programmes nowadays. On black markets and message forums, fully functional code samples can be purchased for hundreds of dollars. Sometimes, hundreds of individuals are employed by the companies that produce malware, and some of them even run a help desk that offers support. In a malware attack, hackers infect a server or computer with a piece of harmful code that subsequently sends emails, files, or passwords back to the attackers’ system.
Social engineering uses a completely different strategy than standard virus attacks on systems to obtain information. Employees and partners of law firms that fall victim to social engineering unintentionally divulge crucial information that can be used to unlock data. Access to crucial systems can frequently be gained more quickly through social engineering. However, not every exploit is the result of an unaware person merely clicking a link. Sometimes all it takes to compromise a system is opening an email with maliciously encoded graphics, which has happened to legal businesses. The average cost of a data breach, according to a 2020 IBM study, is $3.86 million, and it takes about 280 days on average to find and stop a breach.
Unexpectedly, employees can be attacked without taking any explicit action, and they then find themselves in a situation where current security measures, including antivirus software, are ineffective. Simply having a social media presence on any platform will allow a law firm or any of its workers to serve as a target for an attack.
What can be done to protect firms?
As more and more examples involving double-extortion ransomware attacks and other cyberattacks make news, the threat to law firms is real and growing. The legal sector will continue to be a target as long as these targeted assault strategies are effective and profitable, therefore this challenge isn’t going away anytime soon.
Particularly when law firms manage and keep sensitive data as part of their everyday operations, cybersecurity is not a one-size-fits-all and most definitely is not a one-and-done activity. An efficient approach entails constant monitoring to determine if an assault is taking place and resuming operations as soon as feasible, as well as updating internal procedures, training, systems, and other components to defend against contemporary threats. It is challenging to make lasting progress in protecting the legal industry, and numerous organisations have recently suffered severe monetary and reputational losses because of this.
To improve firms day to day operations and communications between the lawyer and their client, firms can also use secure communication platforms. Lawyers have an ethical responsibility to protect client privacy. Given this, maintaining client confidentiality has long been a key concern for lawyers. This means that it is even more important for lawyers to make sure that confidential client data is protected while communicating electronically. By securing your firm’s communications you are not only protecting your firm but ensuring that your clients are getting the updates they need anywhere, at any time in a secure way – giving both parties peace of mind.
Law firms need to take cybersecurity more seriously as the legal sector becomes more digital. The legal community has long needed to acknowledge the dangers posed by cybercrime. Therefore greater effort is required to guarantee that possible dangers are addressed given the profession’s accelerated shift to the digital world.
Lawyers might prevent disastrous implications by taking a proactive approach to cybersecurity and taking into account some of the steps above. It is imperative that we deepen our awareness of the various attack patterns. If Legal professionals take action they can reduce security concerns, mitigate damage, and quickly recover systems simply by being more aware of the potential hazards that their firm may encounter in the near future.
About Salt Communications
Salt Communications is a multi-award winning cyber security company providing a fully enterprise-managed software solution giving absolute privacy in mobile communications. It is easy to deploy and uses multi-layered encryption techniques to meet the highest of security standards. Salt Communications offers ‘Peace of Mind’ for Organisations who value their privacy, by giving them complete control and secure communications, to protect their trusted relationships and stay safe. Salt Communications is headquartered in Belfast, N. Ireland, for more information visit Salt Communications. or Signup