No law firm wants to be the victim of an internal, hostile data breach. However, there have been some high-profile law firms whose internal and client data was hijacked and held ransom by hackers. Given the fact that most law firms, either small, medium or large, have at least some information digitized, it is surprising that this does not happen more often.
To add insult to injury, the hackers on the dark web are getting better. They are winning this war. They are better at this than the data security experts.
But your law firm does not have to go down the rabbit hole of a law firm data breach.
The Nightmare That Was DLA Piper
To strike fear in the heart of any law firm that does not think this is a serious threat, one only has to look at the case of the DLA Piper breach in 2017. The 4000+ attorney firm, DLA Piper, is one of the largest, most respected firms in the world. In June of 2017, the firm was effectively shut down worldwide within 20 minutes. Despite the fact that DLA Piper’s cybersecurity team in Britain discovered the threat within 20 minutes, the virus nonetheless disabled the firm’s worldwide telephone system and most of its computer network. When employees came into work they were notified to not turn on any computer anywhere within the firm.
The attack was initiated in DLA Piper’s Ukraine office where an administrator, with administrator privileges, mistakenly clicked on an “update” to an accounting software that the Ukraine office used. This “update” was, in fact, a phishing scam that contained malware. Immediately the malware called “NotPetya” was unleashed, which after initially disguising itself as ransomware, consumed all of DLA Piper’s data. The malware spread throughout the entire DLA Piper worldwide computer network so quickly that it could not be stopped even though the firm’s IT cybersecurity specialists spotted the problem fairly quickly.
It took a week to get the firm’s email servers back online. Think of that for a second. The firm the size of DLA Piper without having access to email for one week is unimaginable. DLA Piper paid over 15,000 hours of overtime to its IT department in attempting to restore the network. However, it took 48 hours of around the clock work to find a safe place to start the restoration process. Despite having viable back-ups of its data, whatever was left on the existing network was deemed unsalvageable and they had to scrap the whole thing and start over. It took the firm months to become fully operational again at a cost of tens of millions of dollars, not to mention the loss of clients and reputation. DLA Piper was not NotPetya’s only victim that year. Maersk and TNT Express were both hit with NotPetya at a cost to the companies of $378 million and $374 million respectively.
First, Identify That You Have a Problem
If the above story does not scare you into thinking that cyber security is a major threat to firms of all sizes, then you are the first problem. Realizing that this is a major threat to all law firms and businesses is what first has to be done. Most law firms today do not have robust, modern technology and plans in place to face this threat. A recent study indicated that 69 percent of people polled in the survey believe that their law firm’s hack protection scheme is out of date and vulnerable. Making sure that the firm’s hardware, software and network structure is acutely designed to ward off these attacks should be a major focus of any size firm.
But one of the major vulnerabilities of any firm, whether it be a three attorney firm with four staff members or a firm that employs 10,000 people, are the employees themselves. Employees are usually the path of least resistance in attempting to breach an otherwise secure system. In DLA Piper’s case, it was an administrator that clicked on an attachment to a phishing email. A recent report indicated that 91 percent of data breaches begun as a result of an employee clicking on an attachment from an email that the employee thought was legitimate. These phishing emails have become more and more sophisticated where it is sometimes difficult to tell the difference between a legitimate email and the fake one.
Plan of Action
A law firm’s data, clients and reputation does not have to be at the mercy of hackers and hijackers. There are several things that can be done. The following are but a few of the most important steps to take:
- Proper Data Storage: First and foremost have proper data storage and backup. If your firm is attacked successfully, you want to be able to have a proper backup storage plan. Further, this backup storage should have a firewall so that even if your system is compromised, the backup data will not be. A law firm must also make sure all of its data is organized in a method where IT knows where it is. With the advent of cloud computing, clients’ data can be stored in many different locations, making it more difficult to manage and protect. When there are multiple systems that need to be secured, monitored and accessed, it is easier to have a gap that hackers can exploit. Therefore, a law firm should choose one storage method and implement that method firm wide, with no exceptions.
- Implement Network Segmentation and Apply Firewalls: Network segmentation involves classifying and categorizing data and personnel information into specific groups, and then restricting access to them. Doing this will protect the network in case of a cyber attack. In other words, if one device or sector is compromised, then the entire network will not be exploited. But segmenting is just the beginning. In between these segments robust firewalls, spam filter and anti-virus software needs to exist. The stronger and more up to date these tools are, the better the IT team can monitor for threats and remove them as they are detected.
- Implement a Cybersecurity Employee Training Program: An employee does not need to be a vulnerability in the system, but can an asset. Like any security enterprise, cybersecurity requires teamwork from all members of the law firm playing a part in identifying potential threats, vulnerabilities and bringing them to the attention of IT professionals. When employees are not involved in cybersecurity, vulnerabilities and threats can go unnoticed and the employees themselves can become conduits through which attacks are executed. Therefore, employees should receive initial and periodic cybersecurity training. Train your employees regularly about past, present and possibly future phishing attempts. Also, the training should include the importance of smart internet browsing practices. Visiting suspicious websites may expose users to malware embedded on the sites. Even legitimate websites, as well as the files on them, may be compromised.
- Develop a Response Plan: Begin by assuming that your law firm will be attacked. With that assumption in mind, develop a comprehensive plan on actively learning about attacks as quickly as possible. Then, develop a strategy on aggressively defending your system. If there is a breach and data is lost, develop a plan for reconstruction and recovery of data or reintroduction of stored backup data.
- Involve Executives in Cybersecurity: One of the problems with developing a robust cybersecurity plan, is that it is often complicated and executives do not truly understand it. However, there is a benefit to involving executives in cybersecurity. As executives become an important part of the solution to cyber threats, the more the organization will experience a “top-down” sense of the significance of the issue of cybersecurity.
The threat of a law firm data breach is ever evolving and will never go away. In fact, hackers and hijackers are becoming more sophisticated and more organized. Law firms should develop a preventative and proactive cybersecurity strategy. Only then will your organization survive and thrive.