Jones Day, a US-based international law firm whose prominent clients included Donald Trump, was hacked in February 2021, resulting in the theft of over 100 gigabytes of data. Meanwhile, in 2020, New York-based law firm, Grubman Shire Meiselas & Sacks, was hacked in what became one of that year’s biggest cyberattacks. The hackers reportedly acquired over 700 gigabytes of data, including information on popstars Madonna and Lady Gaga.
The legal sector isn’t counted among the 10 industries that threat actors tend to target the most. But as proved by the examples above, cyberattacks do happen to law firms, and when they do, they usually end up becoming messy. Law firms are usually the target of these types of attacks:
- Phishing - According to the FBI, phishing was the most common cyberthreat in 2020. This online scam tricks victims into providing sensitive information. Some phishing scams are also designed for stealing money or spreading malware.
- Data breach - Many data breaches happen because of hacking attacks, but some occur because of mistakes made by employees. Maybe your staff left their desktop unlocked or they became a victim of a phishing scam. Malicious insiders, such as disgruntled employees looking for retribution, may also steal or compromise your law firm's data.
- Ransomware - This threat, which locks victims’ data or system unless they pay a ransom, is notorious for disrupting businesses in various industries. The aforementioned attack against Grubman Shire Meiselas & Sacks was a ransomware incident, but the perpetrators decided to go further and steal their victim’s data.
Why are law firms attractive targets for cybercriminals?
There are three reasons why cybercriminals attack the legal sector:
Law firms handle sensitive data
Even small law firms without A-lister clients can become cyberattack targets simply because of the sheer amount and variety of information they carry. These include clients’ personal details and payment information, which hackers can use to commit identity theft and other crimes, or sell on the dark web. Litigation information, contract details, and trade secrets can also fetch a considerable price when offered to the right buyers.
Even small law firms without A-lister clients can become cyberattack targets simply because of the sheer amount and variety of information they carry.
Law firms are likely to pay up
Many cyberattacks are motivated by money. In fact, the average ransom demanded by ransomware gangs now exceeds $300,000. Still, law firms that suffer a ransomware attack will likely shell out money to save their data, for one important reason.
The American Bar Association’s (ABA) Rule 1.6 obligates lawyers to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Inability to perform this responsibility will not only result in penalties, but it can also damage a firm’s reputation and prevent them from securing the trust of current and potential clients. For this reason, many firms would rather pay up and “resolve” the issue as soon as possible than jeopardize their reputation and their clients’ privacy.
Law firms are slow to adopt cybersecurity solutions
Despite the ever-present threat of cyberattacks, many law firms have yet to adopt advanced measures to protect their data from cybercriminals. In fact, the ABA reports that only 44% of law firms encrypt their files, 38% use email encryption, while 22% use disk encryption. What’s more, just 27% of law firms use local backups for their data.
How can law firms protect themselves?
Law firms should take steps to improve their IT systems and cybersecurity. The first of such steps is to partner with experts who can help them identify vulnerabilities in their system, as well as get them started with bolstering their cyber defenses. Managed IT services providers (MSPs) like Healthy IT are perfect for these tasks. MSPs can take over managing and protecting a law firm’s IT systems as its lawyers focus on providing service to clients.
Law firms will also need to upgrade their IT systems and consider implementing more advanced measures like multifactor authentication, encryption, and identity and access management. Developing a data backup and disaster recovery plan will also help them recover their data and resume their business should a security incident occur. Finally, law firms have to train their employees on cybersecurity best practices and proper ways to respond to possible cyberattacks.
Law firms have much to lose in the event of a cyberattack. At Healthy IT, we follow a proactive approach in building your law firm’s defenses, ensuring that your practice and your clients’ information are protected from multiple cyberthreats. Schedule a free consultation today.