10 ways law firms can make life difficult for hackers

Everybody is a target of cybercrime, but some are more attractive than others. Law firms rank pretty high on the list because of the sensitivity of the information they handle, and their sometimes very rich and powerful clientele.

In the world of cybercrime, everybody from individuals to nation states is a target – some more attractive than others, of course. Health care organizations have gotten the most headlines recently, and the Internet of Things (IoT) offers an almost unlimited attack surface.

But law firms are attractive too. They hold sensitive, confidential data ranging from the personal (divorce, personal injury) to the professional (contract negotiations, trade secrets, mergers and acquisitions, financial data and more) that, if compromised, could cause catastrophic damage both to the firm and its clients.

The Wall Street Journal reported recently that hackers broke into the networks of two of the nation’s most prestigious firms, Cravath Swaine & Moore and Weil Gotshal & Manges, in 2015. The two, “represent Wall Street banks and Fortune 500 companies in everything from lawsuits to multibillion-dollar merger negotiations,” the Journal said.

The FBI and Manhattan U.S. Attorney’s office were investigating to see if the hack was aimed at getting information to use for insider trading.

Tom Brown, managing director and global leader of Berkeley Research Group’s Cyber Security/Investigations practice, said law firms are being targeted more, “possibly because hackers are looking to maximize their returns. If successful, they can obtain information on multiple clients through one attack.”


Tom Brown, managing director and global leader, Berkeley Research Group’s Cyber Security/Investigations practice

But while high-profile cases like those in New York make national news, many others don’t. Or, if they do, the firms are not always identified. The Cybersecurity Law Review (CSLR) reported recently that four firms in northern Virginia were hit by ransomware attacks late last year. But none of the firms was named.

And few firms are willing to talk publicly about it either. More than half-dozen attorneys did not respond to a request from CSO to discuss law firm breaches. This, according to the public relations representative of one firm, is due to, “sensitivities around the topic.”

Sensitive or not, it is an obvious and growing problem. As the Journal put it, the increase in hacking tools and hackers for hire has made it, “easier for criminals to breach computer networks as a way to further a range of crimes, from insider trading to identity theft.”

Rebecca Hughes Parker, managing editor of The Law Report Group, said the 2015 ABA Legal Technology Survey Report found that 23 percent of respondents at firms with more than 100 attorneys reported a security breach, and noted a recent report that a Russian hacker targeted 48 top law firms to access information on mergers and acquisitions.


Rebecca Hughes Parker, managing editor of The Law Report Group

Peter Zeughauser, chairman of the Zeughauser Group, a consultancy to large law firms, said whether it is alerts from the FBI, concerns expressed by clients or news of hacks, “there is a higher level of concern,” about cyber attacks.

In the case of ransomware, even if the goal is simply to collect money rather than use the confidential data, it is generally very troubling to clients, according to Parker.

“It can cost the firm a great deal of money to handle, and can be costly to its reputation,” she said.

The obvious response to all this is to improve cyber defenses. While no technology is entirely bulletproof, experts have said for years that better “security hygiene” can take organizations out of the “low-hanging-fruit” category.


Peter Zeughauser, chairman, the Zeughauser Group

And while, as Brown put it, “there is no ‘answer-in-a-box,’ since each law firm has its own risk profile,” there are still a number of general principles that will lower any firm’s risk profile. The following recommendations come from Brown, Parker, Zeughauser and a Q&A by CSLR with John Simek, vice president and co-founder of Sensei Enterprises.

1. More/better employee training

As has been said numerous times, people are the weakest link in the security chain. And that weakness is being exploited more effectively by criminals who have become much more sophisticated with phishing emails.

“People are the problem,” Simek told CSLR. “All the technology in the world is not going to prevent an attack.”

Law firms can be particularly vulnerable, since court filings are public record. An attacker can easily get the name of the attorney of record and, using his or her name, send a phishing email with a malicious attachment that purports to be an updated complaint from that attorney.

Yes, training consumes what could otherwise be billable hours, but dealing with ransomware or a major breach is vastly more expensive.

2. Keep backups disconnected from the network and the Internet

With the explosive rise of ransomware, backups should be mandatory. But they will do no good if backup drives are connected to the network, since that will allow malware to infect them as well.

3. Install all patches and updates

Patches do exactly what the name implies – patch a “hole” in the software that is vulnerable to an attack. Virtually all of them are free, so the only thing they cost is attention and time - time very well spent. Failing to patch known vulnerabilities is a bit like leaving the door open and the files unlocked at night.

breaches by size American Bar Association

4. Update software – especially when it is no longer supported

This costs money, which is a major reason many firms don’t do it. The thinking is comparable to keeping an old car – it’s running fine, so there is no good reason to spend money buying a new one.

But that makes sense only as long as the software is supported. After that, it is a bit like continuing to drive the old car when you can no longer get service or parts for it. If the water pump goes, you’re stuck with a much more expensive problem than if you’d upgraded earlier.

And when a system is no longer supported, that means it is no longer patched. It is another version of the leave-the-door-open syndrome.

5. Block executable files, compressed archives and unidentified users

While human failure can always undermine technology, that doesn’t mean tech can’t offer a measure of protection. If “.exe” or zip files are blocked before they reach users’ inboxes, employees can’t click on what they never see.

The network should also be programmed to block any unidentified users from modifying files.

6. If you use cloud storage, make sure your firm controls the encryption key

Simek said some cloud providers don’t allow users to define the encryption key, “because they fear that if the user forgets (it), their backups will be useless. Although that is certainly a possibility, if a firm is planning to use a cloud-based backup, it will want a provider that allows it that control,” he said.

7. Make your cybersecurity program meet the needs of potential clients

An increasing number of clients are using security consultants, “to give them a template that they can tailor to their own needs depending on the type of data they have and the size of the firm they are looking at hiring,” Parker said.

Zeughauser said one of the things law firm executives say “keeps them up at night” is the increasing demand for security from clients. “Their clients are telling them, if you don’t do all those things, you’re not going to pass our audit and we’re not going to hire you,” he said, adding that technology is on track to become the second-largest annual expense of law firms, exceeded only by the cost of staff.

“For 60 to 70 years, the second biggest expense has been rent,” he said.

There are standards that will certify a firm’s cybersecurity, including the ISO 27001, but Parker said only a few firms have adopted it. That may be in large measure because it is both expensive and time consuming.

But the National Institute of Standards and Technology (NIST) has small business standards that can amount to self-certification, Simek said. It allows firms to, “assess their infrastructure, and whether they have any weaknesses and whether the assistance of a third-party is needed.”

8. Have clear, effective restrictions on remote access and mobile devices

This can be complicated, Parker said, because, “different practice areas at the same firm sometimes can operate as discrete businesses and it can be hard to mitigate cyber risk. Partners also may opt out of certain cybersecurity protocols.”

This is an area where it is crucial to have a CIO or other executive who oversees and enforces data security, privacy and information governance, including remote access and BYOD.

9. Set systems to capture log data, for forensic purposes if a breach occurs

Simek said the biggest problem in responding to a breach is a lack of log data. “Nobody had the foresight to configure their devices or their systems to capture information on an ongoing basis. That’s a killer for the investigations.

10. Share threat information

According to the Journal, law firms last year formed an information-sharing group to exchange information about cyberthreats and other vulnerabilities. It is modeled after a similar organization for financial institutions.

Bill Nelson, CEO of the Financial Services Information Sharing and Analysis Center, which oversees the legal group, said 75 firms have joined the group so far.

Join the CSO newsletter!

Error: Please check your email address.

More about ABABillCSOFBIISOManhattanQTechnologyWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place