Why Small to Midsized Law Firms Must Protect Themselves Before Defending Others

Cybersecurity and privacy risks are top issues plaguing law firms today. The volume of sensitive data managed by law firms makes them a prime target for cybercriminal activities. Therefore, the absence of a comprehensive data risk management framework exposes organizations in the legal services industry to regulatory penalties as well as cyberattacks, including phishing, data breaches, ransomware, etc. As such, it is imperative for law firms to secure their critical infrastructure and data access points before defending others.

The average law firm heavily depends on new tools and technologies to cope with modern-day work demands. This appeal to automate repetitive tasks and implement the latest technological innovation, without understanding its configurations, has amplified the likelihood of cybersecurity incidents. Additionally, due to the presence of Personally Identifiable Information (PII) on the systems and network of law firms makes them a valuable target by cybercriminals. 

Ransomware is one of such cyberattacks with damaging risk to privacy and data across sectors and industries. According to Safety Detectives, its impact is estimated to reach 20 billion USD by 2021. In a report by Law.com, three small law firms were attacked by Maze Ransomware last year in South Dakota, and the threat actor vowed to publish clients’ data if ransom payments were not established. Unprepared law firms can easily lose clients’ confidential data or experience reputational damages, coupled with a regulatory audits and investigations by federal agencies.

Therefore, small to midsize law firms need to protect themselves by deploying up-to-date processes, procedures, and best practices that are capable of assuring detective, protective, and corrective security countermeasures. These comprehensive countermeasures not only protects clients’ data, they also assure business continuity.

Why Do Law Firms Need To Prioritize Cybersecurity?

First and foremost, the American Bar Association requires law firms to adhere to information security provisions, in accordance with an ethical responsibility as determined by a standing committee stated in the ABA Formal Opinion 477R. Said ethical responsibility applies to the sharing of sensitive client data over the internet, especially as it relates to incident response and disaster recovery procedures.

For most law firms, regardless of its size, a data security breach is capable of wrecking colossal losses, such as reputational damage, regulatory audits and fines, and potential lawsuits from unhappy clients. If improperly handled, these losses could cause a law firm to fold. A notable example was the FTC lawsuit against GMR Transcription Services Inc., which the firm was sued for not vetting its service provider to ensure the security of confidential data.

Understanding The Top Cybersecurity and Privacy Risks To Small and Midsize Law Firms

The first step to understanding cybersecurity and privacy risk is to understand the value of the data under one’s control. Such realization comes with classifying data based on sensitivity levels, such as public, private, confidential, sensitive, etc. Legal practitioners in small to midsize law firms must realize that cyberattacks are real, and they are becoming more sophisticated with the introduction of every new technology.

Although cybersecurity and privacy risks continue to rapidly evolve, it is important that legal practitioners are able to detect malicious activities and know the mitigative steps to resolve it. As recommended by the cybersecurity specialists at Goldsky Security, below are some of the top cybersecurity risks to small and midsize law firms:

• Phishing – Cybercriminals utilize phishing as a social engineering technique to trick targets into clicking on malicious links or downloading malicious attachments. As soon as the threat actor gains access into the desired system, malware is deployed to initiate activities, such as detection of system vulnerabilities; capturing keyboard strokes; activating spyware functions; or even recruiting a system into an army of rogue machines (a botnet).

  Since law firms maintain custody of highly sensitive information that is related to a client’s case, including addresses, names, social security numbers, payment card details, etc., phishing attacks against law firms tend to result in some of the most publicized data compromises in the media.  For instance, Mossack Fonseca lost 11.5 million files in a data breach incident, which exposed the financial dealings of some of the most powerful entities in the world – this incident is famously known as the ‘Panama Papers’ leak.

   

• Supply Chain Attack – A supply chain or value chain attack takes place when an attacker exploits systems or networks,  via vulnerabilities in a provider’s software or database, which houses sensitive data. A supply chain attack usually occurs as a  result of a vendor’s failure to implement proper security countermeasures to assure the confidentiality, integrity, availability, and privacy of clients’ critical data.

  A 2018 survey by Ponemon Institute revealed that 56% of organizations reported that data breaches were caused by a vendor or service provider. Because law firms are major enablers in business and commercial dealings, attackers can track when a client is transferring money and exploit the less secure elements within the value chain, including document signing tools or payment gateway systems.

   

• Ransomware – This is a type of cyberattack, whereby an attacker breaks into a victim’s system and locks-up critical files, unless a ransom is paid for recovery of stolen data – this greatly disrupts business operations. Ransomware attacks have become highly sophisticated in recent times, such that stolen data are now being shared amongst ‘cartel-like’ networks of threat actors.

  An example of the effects of ransomware on law firms was the 2019 Trialwork incident, which caused law firms to reschedule court sessions, due to the unavailability of the case management software. Lawyers were left stranded, as they could not access relevant documents and data.

Cybersecurity and Privacy Risk Mitigation Countermeasures For Small to Midsize Law Firms

While there is no one-size-fit-all approach for law firms to become more resilient against cyber threats and risks, here are some steps that can be taken to protect sensitive data and overall business operations:

• Educate employees by deploying managed phishing simulations to test incident response knowledge.
• Conduct a vulnerability test and establish access control procedures to prevent exposure of confidential information to cyberattack.
• Establish a clear contractual agreement stipulating how suppliers will manage sensitive data.
• Patch and update software and applications. Then, establish an adequate password management policies.
• Consult with a cybersecurity company that specializes on developing formidable cyber defense strategy, backup, and business continuity plans for small to midsize law firms.

Final Thoughts

New technologies will continue to redefine how is done business, and its advantages help to reduce the workload for legal practitioners. For rapidly evolving technologies, such as Cloud Computing, Artificial Intelligence, Internet of Things (IoT), etc, extreme caution must be implemented to ensure that sensitive data is not being leaked to malicious actors. As cybercriminals continue to upgrade their tools to exploit vulnerabilities in less secure systems, law firms must develop the habit of defending its own critical infrastructure by establishing detective, preventive, and corrective control measures before protecting clients.

All in all, for small to midsize law firms that might not have the adequate resources to protect themselves like larger firms must rely on a robust security awareness training program, to help protect themselves before defending others.