March 08, 2018
For years, the FBI has issued warnings that law firm cyber attacks were on the rise.
Law firms are targets because they store so much sensitive data including attorney/client privileged information, government and trade secrets, undisclosed mergers and acquisition data, and other personally identifiable information (PII).
Research has shown that many law firms might be easy targets for cyber attacks too. According to 2017 Law Firm Cyber Security Scorecards by LogicForce, about 66% of law firms had a breach in 2016, and 40% did not even know one occurred. Less than one-third of participating law firms have formal cyber security training programs.
The number one cause of law firm cyber security breaches isn’t technical but mental, according to a LogicForce spokesperson. In an online story, he said there is a lack of deeply ingrained and security-oriented presence of mind in law firms. To change that, implement a culture of security throughout the company, and embed security processes – for example, secure document destruction. Provide on-going training that informs and educates employees on security best practices.
The research also shows that nearly 63% of breaches are linked to third parties, and 80% of firms are not vetting their third-party service provider’s data security practices. Put a comprehensive vetting process in place to be sure all service providers have security protocols.
While up to 90% of cyber breaches occur because of email phishing scams according to the 2017 Verizon Data Breach Investigations Report, 59% of all email deliveries to law firms are classified as phishing/SPAM emails. Phishing scams try to trick the end user to log into a fraudulent system or download malicious malware. Firms should utilize SPAM filtering software, and train all employees on how to spot them.
While mobile devices allow lawyers to work from anywhere, they can also increase the risk of a data breach. Public Wi-Fi is not secure, and home networks tend to have few protections too. All firms should have a comprehensive Mobile Policy, which limits the data stored on an attorney’s personal device to current projects. Also, enable encryption on all devices.
Many breaches today are committed by insiders seeking revenge or a political goal. The Panama Papers, which refers to the leak of 11.5 million files from massive offshore law firm Mossack Fonesca, is an example – one theory is that a disgruntled IT employee caused the leak. In other insider incidents, attorneys may take data from the practice when they leave for another firm or to start their own. Protect data with strict access controls, and monitor digital activity if an employee is about to leave or disgruntled.
Computer systems and networks become dated – and increasingly insecure – quite quickly today. Newer machines often have better built-in security. Stay on top of new technology, and replace legacy computers. Be sure to securely dispose of old hard drives.