In the world of cybercrime, everybody from individuals to nation states is a target – some more attractive than others, of course. Health care organizations have gotten the most headlines recently, and the Internet of Things (IoT) offers an almost unlimited attack surface.
But law firms are attractive too. They hold sensitive, confidential data ranging from the personal (divorce, personal injury) to the professional (contract negotiations, trade secrets, mergers and acquisitions, financial data and more) that, if compromised, could cause catastrophic damage both to the firm and its clients.
The Wall Street Journal reported recently that hackers broke into the networks of two of the nation’s most prestigious firms, Cravath Swaine & Moore and Weil Gotshal & Manges, in 2015. The two, “represent Wall Street banks and Fortune 500 companies in everything from lawsuits to multibillion-dollar merger negotiations,” the Journal said.
The FBI and Manhattan U.S. Attorney’s office were investigating to see if the hack was aimed at getting information to use for insider trading.
Tom Brown, managing director and global leader of Berkeley Research Group’s Cyber Security/Investigations practice, said law firms are being targeted more, “possibly because hackers are looking to maximize their returns. If successful, they can obtain information on multiple clients through one attack.”
But while high-profile cases like those in New York make national news, many others don’t. Or, if they do, the firms are not always identified. The Cybersecurity Law Review (CSLR) reported recently that four firms in northern Virginia were hit by ransomware attacks late last year. But none of the firms was named.
And few firms are willing to talk publicly about it either. More than half-dozen attorneys did not respond to a request from CSO to discuss law firm breaches. This, according to the public relations representative of one firm, is due to, “sensitivities around the topic.”
Sensitive or not, it is an obvious and growing problem. As the Journal put it, the increase in hacking tools and hackers for hire has made it, “easier for criminals to breach computer networks as a way to further a range of crimes, from insider trading to identity theft.”
Rebecca Hughes Parker, managing editor of The Law Report Group, said the 2015 ABA Legal Technology Survey Report found that 23 percent of respondents at firms with more than 100 attorneys reported a security breach, and noted a recent report that a Russian hacker targeted 48 top law firms to access information on mergers and acquisitions.
Peter Zeughauser, chairman of the Zeughauser Group, a consultancy to large law firms, said whether it is alerts from the FBI, concerns expressed by clients or news of hacks, “there is a higher level of concern,” about cyber attacks.
In the case of ransomware, even if the goal is simply to collect money rather than use the confidential data, it is generally very troubling to clients, according to Parker.
“It can cost the firm a great deal of money to handle, and can be costly to its reputation,” she said.
The obvious response to all this is to improve cyber defenses. While no technology is entirely bulletproof, experts have said for years that better “security hygiene” can take organizations out of the “low-hanging-fruit” category.
And while, as Brown put it, “there is no ‘answer-in-a-box,’ since each law firm has its own risk profile,” there are still a number of general principles that will lower any firm’s risk profile. The following recommendations come from Brown, Parker, Zeughauser and a Q&A by CSLR with John Simek, vice president and co-founder of Sensei Enterprises.
1. More/better employee training
As has been said numerous times, people are the weakest link in the security chain. And that weakness is being exploited more effectively by criminals who have become much more sophisticated with phishing emails.
“People are the problem,” Simek told CSLR. “All the technology in the world is not going to prevent an attack.”
Law firms can be particularly vulnerable, since court filings are public record. An attacker can easily get the name of the attorney of record and, using his or her name, send a phishing email with a malicious attachment that purports to be an updated complaint from that attorney.
Yes, training consumes what could otherwise be billable hours, but dealing with ransomware or a major breach is vastly more expensive.
2. Keep backups disconnected from the network and the Internet
With the explosive rise of ransomware, backups should be mandatory. But they will do no good if backup drives are connected to the network, since that will allow malware to infect them as well.
3. Install all patches and updates
Patches do exactly what the name implies – patch a “hole” in the software that is vulnerable to an attack. Virtually all of them are free, so the only thing they cost is attention and time - time very well spent. Failing to patch known vulnerabilities is a bit like leaving the door open and the files unlocked at night.
4. Update software – especially when it is no longer supported
This costs money, which is a major reason many firms don’t do it. The thinking is comparable to keeping an old car – it’s running fine, so there is no good reason to spend money buying a new one.
But that makes sense only as long as the software is supported. After that, it is a bit like continuing to drive the old car when you can no longer get service or parts for it. If the water pump goes, you’re stuck with a much more expensive problem than if you’d upgraded earlier.
And when a system is no longer supported, that means it is no longer patched. It is another version of the leave-the-door-open syndrome.
5. Block executable files, compressed archives and unidentified users
While human failure can always undermine technology, that doesn’t mean tech can’t offer a measure of protection. If “.exe” or zip files are blocked before they reach users’ inboxes, employees can’t click on what they never see.
The network should also be programmed to block any unidentified users from modifying files.
6. If you use cloud storage, make sure your firm controls the encryption key
Simek said some cloud providers don’t allow users to define the encryption key, “because they fear that if the user forgets (it), their backups will be useless. Although that is certainly a possibility, if a firm is planning to use a cloud-based backup, it will want a provider that allows it that control,” he said.
7. Make your cybersecurity program meet the needs of potential clients
An increasing number of clients are using security consultants, “to give them a template that they can tailor to their own needs depending on the type of data they have and the size of the firm they are looking at hiring,” Parker said.
Zeughauser said one of the things law firm executives say “keeps them up at night” is the increasing demand for security from clients. “Their clients are telling them, if you don’t do all those things, you’re not going to pass our audit and we’re not going to hire you,” he said, adding that technology is on track to become the second-largest annual expense of law firms, exceeded only by the cost of staff.
“For 60 to 70 years, the second biggest expense has been rent,” he said.
There are standards that will certify a firm’s cybersecurity, including the ISO 27001, but Parker said only a few firms have adopted it. That may be in large measure because it is both expensive and time consuming.
But the National Institute of Standards and Technology (NIST) has small business standards that can amount to self-certification, Simek said. It allows firms to, “assess their infrastructure, and whether they have any weaknesses and whether the assistance of a third-party is needed.”
8. Have clear, effective restrictions on remote access and mobile devices
This can be complicated, Parker said, because, “different practice areas at the same firm sometimes can operate as discrete businesses and it can be hard to mitigate cyber risk. Partners also may opt out of certain cybersecurity protocols.”
This is an area where it is crucial to have a CIO or other executive who oversees and enforces data security, privacy and information governance, including remote access and BYOD.
9. Set systems to capture log data, for forensic purposes if a breach occurs
Simek said the biggest problem in responding to a breach is a lack of log data. “Nobody had the foresight to configure their devices or their systems to capture information on an ongoing basis. That’s a killer for the investigations.
10. Share threat information
According to the Journal, law firms last year formed an information-sharing group to exchange information about cyberthreats and other vulnerabilities. It is modeled after a similar organization for financial institutions.
Bill Nelson, CEO of the Financial Services Information Sharing and Analysis Center, which oversees the legal group, said 75 firms have joined the group so far.