In the spring of 2020, New York-based entertainment law firm, Grubman Shire Meiselas & Sacks, fell victim to one of the more high-profile cybersecurity attacks in recent years. The law firm represented celebrities like Bruce Springsteen and Madonna and lost hundreds of gigabytes of data to the hacking group, REvil. The hackers offered the data to bidders online, seeking more than $42 million.
Another hacking group, Maze, attacked Warting, a law firm in Texas, and published a full dump of its data. Maze demanded more than $1 million to return the data to Warting.
These are just two examples of recent cyberattacks that illustrate the significant risks law firms across the country face today. Cyber attacks aren’t limited to large organizations with vast stores of data; they can also happen to small firms with a small roster of local clients. What’s important to hackers is not the amount of data, although that does factor into the equation, but how much the victim will pay to get it back.
Most law firms understand the need for cybersecurity, but for clarity’s sake, let’s break down what cybersecurity is and how it applies to your industry.
Cybersecurity is the practice of defending computers, servers, mobile devices, electronic systems, networks and data from malicious attacks. Cybersecurity covers a variety of contexts, from business to mobile computing, and protects organizations from attacks and non-malicious mistakes or accidents that can happen in the workplace.
Law firms are quickly becoming prime targets. Why? Many firms store large amounts of highly confidential data. To cybercriminals, data is a tangible, valuable asset that can be sold or held for ransom. You can also be at risk if cybercriminals target your client. In this case, you are a means to an end. If you have weak cybersecurity, it gives attackers an access point. When your firm is a secondary target, your environment is used as a beachhead to launch another attack. As a result, law firms need to think of data protection as a strategic requirement.
What data is at risk.
Take a moment to consider the kind of data your firm collects:
- Personal information
- Financial information
- Healthcare information
- Merger & acquisition data
- Contract data
- Trade secrets
- Trademarks & patents
- Other attorney + client-privileged information
These are all highly valuable assets to a hacker. What’s more, given the changes in the typical workplace under COVID-19, attackers are ramping up their efforts to compromise your data and networks using various timely techniques, including phishing scams based on pandemic alerts and attacks based on current news designed to entice victims. In fact, the FBI Internet Crime Complaint Center has seen thousands of COVID-related attacks on businesses across the country, some of which, when the target was a healthcare organization or medical agency, has even resulted in patient deaths. Just as you would do your best to protect your essential firm and client information in the physical world, you must do your best to protect it in the digital world.
To do this, many organizations rely on the castle model. The castle model builds barriers around assets and keeps them under lock and key. However, since the shape of the modern work environment has shifted, more pressure is on the castle model to secure greater amounts of data that is accessed from multiple endpoints operating in various locations. Telecommuting, mobile devices and social media represent potential access points for hackers. On top of that, it is difficult to enforce security policies, use remote management tools and educate staff under these conditions.
Which makes a recent survey conducted by the American Bar Association (ABA) all the more concerning. According to its 2020 Legal Technology Survey Report, the ABA found that:
- Less than 50% of respondents use multi-factor authentication
- 43% use file encryption
- 39% use intrusion prevention
- 29% use intrusion detection
- 29% use remote divide management with remote wiping capabilities
- 26% use web filtering
- 36% experienced a malware infection
- 29% experienced a security breach of some kind
Until these percentages change, law firms will remain targets for cybercriminals. As a result, your data – and your client’s data – is at serious risk.
Ensuring a Strong Posture
The first phase to ensuring a strong security posture is to secure the human. Securing the human means increasing education and training, enforcing policies and controlling user access. It improves situational awareness through best-practices and simulation exercises. It helps individuals recognize internal and external risk factors while advancing security buy-in and making it a personal goal to improve security maturity overall.
The second phase requires law firms to take action through effective security policies, technology and strategy. These include:
- Implementing data encryption & multi-factor authentication
- Deploying an application whitelisting solution
- Maintaining an Incident Response Plan
- Performing simulated phishing
- Updating policies to include telecommuting
- Understanding that an attack can happen to your firm (not just the one down the street)
- Approach cybersecurity as a legitimate business risk
When you implement these steps, your firm will improve its security maturity and protect its data from would-be hackers.
To get started, contact InfoSystems for a security consultation. We offer comprehensive cybersecurity solutions designed to keep your firm’s data safe including:
- Risk assessment
- Vendor risk assessment
- Cloud services assessment
- Compliance-based assessments
- Penetration testing
- Simulated phishing testing
- Cybersecurity training
- Social engineering testing
- Simulated incident & DR testing
InfoSystems will take the time to learn about your firm’s needs and provide answers to your most pressing security concerns.