Most law firms deal with data breaches after the fact because many law offices are not up to date on cybersecurity. Many will only worry about cybersecurity until it is too late and their system has been breached. A loss of data leaves the law firm exposed to a loss of trust from clients and staff members. Moreover, confidential data held by law firms can lead to identity theft, fraud and other risks.
How can law firms prepare and protect theirs assets from a data breach? Cybersecurity staff that comes in after the fact are not the answer. Instead, consider hiring a hacker before a cybersecurity threat. A dedicated hacker, also known as an ethical hacker, is someone who will test the existing system and work to protect it from outside threats. Ethical hackers spend the day probing your law firm's system for vulnerabilities, testing various ways to get into it, and devising methods to stop and block incoming attempts to breach the system. It takes an ethical hacker to know and identity another hacker.
When hacked, a law firm usually calls cybersecurity experts to identify where the breach originated, possibly find out who mounted the attack, what was stolen and/or destroyed, or ransomed, and installs ways to prevent another attack.
With rapidly evolving computer technology many are out hacking for fun or profit, not much hope exists for those who have never been hacked. As former FBI director, Robert Mueller, once said, “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
In 2014, a New York Ethics Opinion 1019 warned attorneys about cybersecurity threats: “Cyber-security issues have continued to be a major concern for lawyers, as cyber-criminals have begun to target lawyers to access client information, including trade secrets, business plans and personal data. Lawyers can no longer assume that their document systems are of no interest to cyber-crooks.”
Breaches of a law firm’s computer systems are so prevalent, that it is no longer a matter of “if” a firm, large or small, is hacked, but “when.”
Law firms are viewed as being the perfect one-stop-shop for useable information that can garner hackers leverage into bank accounts, medical records and other sensitive information. The hacker(s) reap untold benefits, leaving behind serious fallout.
Is preventing cyberattacks possible?
Fixing hacked computer systems and beefing up cybersecurity has become an industry of its own. Cybersecurity experts and other specialists respond to law firms facing cybersecurity threats, much like a rapid response team.
However, shutting down a breach is only possible if law firms are aware of what is going on. Unfortunately, many of the more sophisticated data breaches stay buried in the system while attorneys and staff remain unaware.
The biggest threat to law firm security is the ability of hackers to quickly learn how to circumvent their system. It is a cat and mouse game between hackers attempting to enter the system to steal information and law firm security keeping hackers at bay. Jon Washburn, chief information security officer at Stoel Rives LLP, says, “The sophistication and the number of attacks are getting worse.”
As technology evolves so do hackers. They seem to be able to find ways into even the most protected law firms. To stay abreast, some law firms invest into hiring in-house ethical hackers who can prevent a cyberattack before it happens rather than clean up after.
Cyberattacks attacks are getting more sophisticated
Attackers, or non-ethical hackers, are beginning to diversify their attacks by targeting law firms through its clients and vendors. This involves hacking email inboxes of known vendors, clients and personal contacts. By attacking trusted sources, hackers can send emails or use other phishing tactics to pass through a law firm’s security systems.
It is one thing for law firm staff to have security awareness training for dealing with suspicious e-mails, but if the e-mail origin is not suspicious then the firm is at heightened risk for viruses, Trojans, ransomware, fileless malware, adware, malvertising and spyware. The human element is most often the cause of a firm’s system being breached.
While it is true that non-ethical hackers are getting smarter and more sophisticated, the same cannot always be said of law firms and their cybersecurity. The former head of the FBI’s New York cyber branch, Austin Berglas, rates law firm cybersecurity today as “middle of the road.”
Law firms need to juggle the need for quick access to data and keeping it safe and secure. Unfortunately, the need to access data quickly and easily wins over security. In other words, there is not much of a “culture of security” in law firms of any size – a term used by Frank Gillman, a Vertex Advisors consultant and former chief information security officer at Lewis Brisbois Bisgaard & Smith LLP, based in Los Angeles, California.
Hope on the horizon
According to a 2019 survey by the International Legal Technology Association (ILTA) there is “some” progress in upping cybersecurity over the last four years for big and small firms. Approximately 68 percent of law firms responding to the survey were conducting phishing tests, up from 38 percent in 2016. The survey also indicated security advances in other areas, such as the adoption of two-factor authentication for external access, which showed a significant increase from 23 percent four years ago to 72 percent currently.
Despite the increase in intentions to take cybersecurity seriously, there is a still a long way to go in the legal industry to get up to speed. The legal industry lags behind other industries that are already engaging in a "culture of security."
It is time for law firms to engage in building and upgrading their data security. And one innovative solution is employing ethical hackers to prevent cybersecurity attacks. Law firms should always do their best to stay ahead of the growing risks of cyber attacks and data breaches. Ethical hackers might be the ideal choice to do just that.