Law firm data security has come under the spotlight in the past couple of weeks following the publication of a number of news reports on hacking incidents at law firms, and most recently, the huge 11.5 million-document 2.6 terabyte data leak at Panamanian law firm Mossack Fonseca. The latest data leak exposed the offshore banking activities of some of the world’s wealthiest individuals, including 70 current and former world leaders.

Why are Cybercriminals Targeting Law Firms?

Cybercriminals are targeting law firms in an attempt to gain access to data on mergers and acquisitions, email accounts are being hacked to obtain details of bank transfers to reroute funds to hackers’ accounts, and attacks are being conducted to gain access to client data on patents and new products. Corporate data is also being stolen and sold on the darknet.

The banks are putting increasing pressure on law firms to do more to protect their networks from attack, while law enforcement authorities are attempting to get law firms to disclose data breaches when they occur. With law firms now under greater scrutiny, clients are likely to demand assurances that modern – not modest – cybersecurity defenses are put in place to protect their confidential data. However, many reports suggest law firm data security is substandard and incapable of preventing cyberattacks.

Cyberattacks on small law firms that have invested relatively little in cybersecurity defenses are perhaps to be expected; however, the computer networks of some of the biggest law firms in the United States have been compromised. Those include high profile firms such as Cravath Swaine & Moore and Weil Gotshal & Manges.

A report in Crain’s Chicago Business indicated 48 of the most prestigious law firms in the United states had been targeted by a Russian hacker operating out of Ukraine. That individual was targeting law firms with a view to trading stolen M&A data. A number of UK law firms have been attacked by hackers who have gained access to email accounts and hijacked bank transfers, netting over $97 million in the past 18 months.

Law Firm Data Security is Substandard and Lags Behind Other Industries

Many law firms do not disclose data breaches so the true extent to which cyberattacks are occurring is difficult to estimate but, based on recent reports, data breaches are far more prevalent than previously thought. The reports suggest that law firm data security measures need to be improved in light of increased efforts by cybercriminals to break through law firms’ defenses.

A report from Citigroup last month suggested digital security measures employed by law firms were less robust than in many other industries, even though law firms are big targets for cybercriminals and government-backed hackers.

The report indicated that law firms faced a high risk of cyberattacks due to the volume of incredibly valuable data they hold; data that could be used for insider trading or could be sold for big bucks on the black market. M&A data and patent applications were said to be the most highly prized information.

Hackers are exploiting a wide range of security flaws in order to gain access to sensitive data; however, one of the main methods used is phishing. Social engineering techniques are used to get individuals in law firms to reveal login credentials to email accounts, to visit malicious websites that download malware, or open infected email attachments that directly install a host of malware on law firms’ networks.

Many of the attacks are conducted by sending out random spam emails, although individuals within law firms are also being targeted with spear phishing emails. Individual employees are researched and targeted with carefully crafted emails to maximize the change of a response.

The emails are written in native English and include investment and legal terminology. FireEye reported they can even contain detailed information about the inner workings of public companies.

How Can Law Firm Data Security be Improved?

  • There are a number of measures that can be employed to reduce the risk of cyberattacks. All staff should receive training to help with the identification of phishing emails and other email scams. This will reduce the risk of individuals accidentally compromising their networks.
  • Patch management policies must be introduced. Patches and software updates need to be implemented promptly.
  • Spam filtering technology should be implemented to reduce the likelihood of phishing emails and malware being delivered to inboxes.
  • The implementation of a web filtering solution can reduce the risk of malware downloads, drive-by attacks, and can block phishing websites from being visited.
  • Anti-virus and anti-malware solutions must be kept up to date and regular scans conducted on networked devices and servers.
  • Outdated software and unsupported operating systems should be retired and replaced with modern, more secure software.
  • Law firms can monitor darknet sites using security solutions to identify when data is being listed for sale.

Unless law firm data security is improved, successful attacks will continue and client and corporate data will be exposed.