Security Breaches Trending Ever Higher at Law Firms: Cybersecurity and the Actual Threats Firm See Today

Hacker typing on a laptop

Security is the number one anxiety for law firm management. After visiting with numerous law firms spanning the East coast over the past month, the anecdotal evidence is rich. These independent accounts from large- and medium-sized law firms alike reaffirm the data presented in the recently released American Bar Association’s 2015 Legal Technology Survey. Cybersecurity occupies a significant portion of firms’ time and creates many sleepless nights.

While law firms clamp down on every possible aspect of the business that can be affected, increasingly this is becoming a monumental task. The points of network compromise are many and the attack forms are varied. Alas, a single successful breach of a firm’s walled garden can be devastating. As the Legal Tech Survey outlines, the nefarious do not discriminate based on the size of the firm. As identified by the chart below, most types of firms experienced an increase in breaches from last year to this year.

Cited: ABA Legal Tech Survey.

Breach Themes

Two main types of breaches seem to be on the rise. The first is a variant on what most of us have experienced. Phishing attacks are a sloppy or poorly written email asking you to click on a link to a random bank perhaps called “United States Bank” in order to change your password. Clearly this was an unsophisticated attempt to gather your credentials. This has evolved many-fold recently. Now law firms are witnessing real pinpointed threats via spear-phishing attacks. In this scenario, a partner at your firm is targeted. The thief completes research from simple online searches; the firm the partner works for (Mayberry Law), their practice area (Automotive), perhaps cases they work on (Gomer Pyle v Barny Barney Fife), location (Mt Airy, NC) personal interests (baking pies) and perhaps outside activities (playing the guitar at the community center). With all of this data gathered someone can craft a directed email for your partner. For example:

“Hi Mr. Taylor,

My wife and I saw you playing your guitar the other night at the community center. Your folksy rifts were the bees’ knees! So we also ran into your Aunt Bee down at Gomer’s gas station and we wanted to ask if you could help out with a bake sale that we are having soon for Opie’s school. Please be so kind as to check out the fundraiser we are having located here” Thanks! Otis Campbell”

The sense almost any logical individual would surmise from this email — even if they may not recognize the name of the person or clearly remember the events around it — is that they must know the person. As a result, the likelihood of a partner or anyone else clicking on the malicious link is exceedingly high. This came up with each firm with whom I spoke as a tactic they are encountering which turns out to be a very effective way to compromise a network.

The other threat law firms are encountering is ransomware. In this scenario someone at the firm clicks on a malicious link and it executes code on their machine. That code first encrypts their hard drive and then begins to do the same across the network. This means you lose all access to your machine to do anything. The hacker then delivers popup messages freeing up those locked down hard drives for a fee. The two avenues to recover; erase the drive and restore from a backup or pay that fee to the hacker via Bitcoin. In my conversations I have heard this happen to a few organizations which unfortunately had not sufficiently backed up their drives. Thus they unfortunately had to pony up $10,000 or so to restore their data.

As the ABA’s Legal Tech Survey data cites, there is little question that breaches are rising. As a result, cyber insurance policies are garnering more attention to assist on the back-end of these attacks. Nonetheless, the continued focus remains on keeping the bad guys out. Most CIOs I have spoken with continue to focus on each aspect of the famed trifecta: the people, process and technology of cybersecurity. The heavy emphasis is on their people, assuring they do the right things; e.g. not clicking on malicious links. The other main thrust of three is the technology facet, assuring that each firm ramps up the deep-level monitoring of their own networks. There seems to be little doubt the industry is still combating a force that continues to gain strength while law firms spend increasingly more resources to keep their own and their clients’ data safe.

Advertisements
About Joseph Raczynski (92 Articles)
Joseph Raczynski Legal Technologist/Futurist Joseph is an innovator and early adopter of all things computer related.  His primary bent is around the future of law and legal technology. He also focuses on several fields including machine learning, mobile, security, cryptocurrency, and robotics (drone technology). Joseph founded wapUcom, LLP, consulting with companies in web and wireless development.  As a side project DC WiFi was created to help create a web of open wireless WiFi access points across cities and educate people about wireless security. Currently he is with Thomson Reuters Legal managing a team of Technical Client Managers for both the Large Law and Government divisions.  Joseph serves the top law firms in the world consulting on legal trends and customizing Thomson Reuters legal technology solutions for enhanced workflows. He graduated from Providence College with a BA in Economics and Sociology and holds a Masters in eCommerce and MBA from the University of Maryland, University College. You can connect with Joseph at JoeTechnologist.com or JosephRaczynski.com or @joerazz

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: