Law Firms are the Next Frontier for Hackers says CEO Jeremy Samide


CEO Jeremy Samide sums up the threats to law firms:

Law firms have become prime targets for cyber attacks as they hold many of the secrets to their beloved clients to include big organizations, CEO’s, celebrities and the like. In this cyber cold war, the words “privileged and confidential” are taking on new meanings and becoming more difficult to uphold. Access to unfiltered communications, documents, contracts and signatures to inherently sensitive information is up for grabs and eventually in many cases, up for sale. Ransomware has also become a problem within law firms. Many attorneys still today, believe that if something is stamped “privileged and confidential” it is immune to the bad actors who are constantly finding new subterfuges into law firms wreaking havoc and stealing proprietary information to either exploit, destroy, expose or sell on the dark web.

In many cases, law firms that specialize in patent, trademarks and intellectual property are considered an even greater risk as they are top on the list for many state sponsored hacker groups around the world. We have witnessed companies that have invested hundreds of millions of dollars in research and development, win patents and trademarks only to have the fruits of their labor erode over a short period of time as hackers ransacked their corporate servers as well as the servers of their law firm where most of their patents and trademarks were filed backed by thousands of research documents.

There are viable solutions that can help protect and mitigate the risk of the next cyber attack within law firms. Stealthcare’s managed services, education & training, and threat intelligence can help with all of these.

Law firms being targeted by hackers or hacker groups hasn’t been in the headlines lately, as the banking/financial industry, healthcare industry, and federal government have been. However, they are still targeted by hackers and other cyber threats for many of the same reasons. Law Firms are host to sensitive client data, intellectual property (trade secrets), and yet typically have shockingly weak security.

Due to the aforementioned factors, we believe law firms are the next frontier for hackers. Experts agree that many hackers view law firms as "one-stop shopping" for electronically stored information—accessing both the law firms' information as well as the clients'. And law firms generally have lower security than most of its corporate clients’ Law firms don’t necessarily have the latest firewalls and network security tech. They also don’t have strict cybersecurity regulators like the FDIC for the banking/financial industry, for example.

Law firms are indeed victims of cyber threats, and hackers in particular. However, individual cyberattacks often go unreported, both to authorities and the public. According to Citigroup, “it makes sense that law firms would be attractive targets given that they regularly access and store sensitive client data as part of their day-to-day operations." According to Cisco’s 2015 Annual Security Report, law firms ranked as the “7th highest target for cyber criminals last year…2015 was the first year that the legal industry made the top ten most targeted verticals in Cisco’s report, indicating a nearly 50% year-over-year increase in the likelihood that law firms would be encounter malware attacks."

Law Firms Have a Duty to Protect Client Information;
Those That Don't Will Lose Those Clients

As law firms continue to face cyber threats, and in refusing to upgrade their cyber defenses, the likelihood of experiencing a cyberattack increases. As a result of poor cybersecurity implementations, "law firms will undoubtedly start losing clients as the unregulated ‘business grapevine’ starts spreading the word about sensitive data lost." With the threat of losing clients, it’s critical for law firms to start employing better cyber defenses and protecting their client data. "Specifically, per ABA Model Rule of Professional Conduct 1.6(c), which was recently adopted, ‘ [a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.’ This means that attorneys entrusted with confidential or personal data are the guardians of that data." As clients do business with law firms, they generally assume that law firms have the correct cyber defenses in place to protect their data. If clients find out that these law firms lack the proper security protocols, especially the smaller firms, their client base would diminish, which would ultimately be bad for business.

What are the Cyber Threats to Law Firms?

There are a number of cyber threats that threaten law firms, including hackers and some very sophisticated malware known as ransomware. This ransomware is able to encrypt a victim’s files, rendering them inaccessible, essentially holding the files ransom until payment is made to the cybercriminals. Then there are hackers, always looking to get their hands on whatever data they can. Oftentimes, hackers will try to gain client data, including names, social security numbers, birthdates, and even credit card data. They’ll essentially turn around and sell this in underground markets in the deep web.

It ultimately doesn’t matter how big or small the law firms are. They will get hacked at some point. "Smaller firms are just as much targets as larger firms and it is just as important that they also have cyber security protections in place. Cyber criminals may actually see smaller firms as an easier target because they lack the infrastructure to prevent and respond to a cyberattack." According to the 2015 Legal Technology Survey Report “from the American Bar Association found that 15 percent of firms have been the victims of a breach." Since 2011 “at least 80 of the 100 biggest law firms in the country, by revenue, have been hacked.”

In addition to ransomware and hackers, there are oftentimes additional cyber threats including hardware and software vulnerabilities. The following are some of the flaws found at Mossack Fonseca, the firm that leaked the Panama Papers: “The login portal alone was subject to vulnerability known as DROWN, due to the fact that it allowed connections from servers that use an obsolete version of SSL. Attackers exploiting the DROWN vulnerability would have been able to hack Mossack Fonseca’s CMS in under a minute, using tools that cost less than $500. The CMS, by the way, had not been updated since 2013 at the time of the breach, and contained 25 additional vulnerabilities. Other failures included a webmail system that hadn’t been updated since 2009, a similarly vulnerable WordPress implementation, unencrypted emails, and other vulnerabilities which meant that the individuals who leaked the Panama Papers probably didn’t have a very difficult time getting their hands on sensitive information…”

The International Legal Technology Association (ILTA) study from October 2011 showed some key findings:

  • 86% of firms do not use or require two-factor authentication.
  • 78% of firms do not issue encrypted USB drives.
  • 76% of firms do not automatically encrypt content-based email.
  • 58% of firms do not encrypt laptops.
  • 87% of firms do not use any laptop tracking technology.
  • 61% of firms do not have intrusion detection tools.
  • 64% of firms do not have intrusion prevention tools.

Law Firms Have a History of Being Hacked

Hackers have targeted law firms for nearly a decade. In early 2008, a major New York firm suffered a breach that was traced back to China. In November 2009, there was a growth in spear-phishing attacks, as hackers attempted to break into law firms’ networks. January 2010 saw the law firm King & Spalding, which specializes in corporate espionage, was targeted in yet another hacking campaign stemming from China.

In January 2012, it’s estimated by Mandiant that over 80 of the top 100 highest grossing US-based law firms had suffered a breach of some type the previous year. Law firms started seeing pressure from Wall Street to improve their cybersecurity, with some even refusing to work with firms lacking good cybersecurity or forcing the firms to purchase data breach insurance prior to doing business.

More recently, in January 2015, Ziprick & Cramer were victims of ransomware, where their client data was encrypted on one of their internal servers. In March 2016, the FBI alerts the public that hackers are specifically targeting law firms to gain insider information. A month later, in April 2016, Panamanian Law firm Mossack Fonseca suffers a data breach, with 11.5 million documents in over 2.6 terabytes of data, exposing a worldwide network of shell companies used for tax evasion.

How Can Stealthcare Help Law Firms Prevent Cyber Attacks?

Stealthcare offers a number of solutions to help mitigate the risks cyber threats pose to law firms, listed below.

CYBER RISK AND THREAT ASSESSMENTS

Our professionals can identify threats and vulnerabilities from both internal and external sources and let you know your risk level and appropriate solutions.

MANAGED IT SECURITY PROGRAMS

Stealthcare’s security staff has years of experience in creating and managing all aspects of security for large corporations, small businesses and family offices.

INCIDENT RESPONSE

Stealthcare can provide an organized approach to addressing and managing the aftermath of a security breach or cyberattack.

ENTERPRISE INTEGRATION

Not only can we provide the hardware and software at competitive rates as a value added reseller (VAR) but we also offer our certified, security experts to implement those products and consult on the security, risk mitigation and ongoing strategy within these projects.

What Can Be Done Immediately?

There are other solutions in addition to Stealthcare’s services that can also help mitigate the risks of hackers and other cyber threats:

  1. Recognize Where Sensitive Data is at Risk – Assess Risks and Understand Practical Impacts of a Cyber Attack
  2. Surpass the Traditional Network Security for Data-Centered Approach – Test Organizational Response and Continually Adapt to Changing Circumstances
  3. Focus on Securing the Crown Jewels – Inventory Critical IT Assets
  4. Look into Managed Security Program Options – Ensure Appropriate Documentation and Contract Agreements Are in Place
  5. Provide Positive Social Engineering – Set Standards and Determine Standard of Reasonable Protection

The Bottom Line...

Law firms are targeted just as much as any other industry. However, those particular attacks don’t often make headlines or even get reported. With the various cyber threats in existence, including hackers and ransomware, it’s imperative that law firms use the latest cybersecurity tech. This includes utilizing next-generation firewalls and gateways; spam filtering for malicious email; mutli-platform endpoint security for malware and viruses; robust backup & disaster recovery platforms; and lastly cybersecurity experts to handle what the software and hardware tech cannot.

Stealthcare can help with all these.