With the proliferation of cyber attacks in 2016 and 2017, it is imperative for organisations to keep systems and data safe, and no industry is exempt from this rule. Law firms are the same as any other company when it comes to countering cyber attacks and protecting their most important data. All organisations must have a security program that comports with internationally accepted best practices and standards, irrespective of whether they operate in research and development, conduct and process financial transactions, or practise law.
Take the case of the Panama Papers for example. The Panamanian law firm Mossack Fonseca was hacked in 2016. The incident resulted in the leakage of 2,600GB of data, most of which was attorney-client privileged information and documents dealing with offshore businesses.
According to a study conducted by ALM Legal Intelligence 45% of legal firms do not have a cybersecurity plan even though 98% of law firm respondents believe that the legal industry is increasingly a target for cyber attacks. Moreover, the study shows that most respondents view cybersecurity as an IT issue vs. a business issue, which is alarming.
Hackers have multiple motivations when it comes to attacking law firms, looking to steal data, including:
Confidential communications between clients and attorneys
Employees personal identity
Clients and vendors personal data
Data pertaining to insider deals
Lawsuit pursuance strategy information
Top secret business growth and expansion information
Data pertaining to finances, such as payment cards
So, where should law firms begin on their cybersecurity journey?
a. Incident Response
The roadmap begins with having a solid incident response plan is critical for law firms. A organisation’s ability to respond to an attack on critical systems, such as a network, database or appliance, holds considerably greater importance today more than ever. An attack could be catastrophic for the reputation of law firms and the costs involved.
In the least, an incident response plan specifies the:
Members/titles/contact details of the response team responsible for each of the functions of the plan (management, IT, information security, human resources, compliance, marketing, etc.);
Communication lines in the event of a cyber-attack;
Notification protocols and priorities
Documentation and logging plans in the event of a breach;
Contact list of relevant outside parties such outside digital forensics experts, PR firms and relevant financial firms
b. Security Technology
Policies, procedures and reports on risk management are irrelevant without the appropriate technology to complement a law firm's cybersecurity plan. Event logging capabilities are particularly important for law firms during a cyber-attack response and too often management overlooks logging as a priority. Also, correlation and aggregation tools such as “Security Information and Event Management” (SIEM) tools can make audit logs far more useful for subsequent manual inspection and can be quite helpful in identifying subtle attacks. The easiest way to find out what your organisation needs in order to obtain the best-practice cybersecurity posture is by performing a network health check or a pentest.
c. Penetration Testing
Penetration testing helps analyse the strength of a company's network security using vulnerability exploitation methods. The penetration testing is performed without affecting sensitive data, resulting in a much clearer view of an organisation’s entire security network. Common types of pen testing for law firms should include: an external penetration test or vulnerability scan to assess Internet-facing computers, including firewalls, VPNs and other online gateways; an internal penetration test or vulnerability of a law firm’s internal network, such as desktops, laptops, servers, printers, and other online devices; web application assessments; and social engineering testing to assess the weakest link of a law firm: its employees.
In addition, law firms should conduct unannounced spear-phishing tests. Spear-phishing tests help determine employee resistance to one of the most common methods of remote compromise. The tests also help gauge the risks associated with permissive egress filters, targeted malware, the establishment of remote command and control channels, and the susceptibility to undetected bulk data exfiltration.
d. Patching and Updating
Patching and updating software and systems seems as basic as taking the trash out, right? Yet, so many security breaches occur due to software not being updated on a timely manner. Take the recent WannaCry or Petya attacks as an example. WannaCry alone encrypted the data of more than 100,000 computer systems in 104 countries in May 2017. In the case of the Panama Papers hack, the attack was most likely accomplished via an outdated and unpatched version of Drupal and/or WordPress. No technical solution can be effective if not kept up to date. The number one reason that law firms get compromised is because of a failure to apply patches. When law firms fail to patch their operating systems and software, they are inviting a cyber-attack.
Cybersecurity is not an IT issue. Cybersecurity is a business issue and law firms must realise that cybersecurity risks now actually trump most other business risks. Cyber attacks cause business interruption, are highly costly and most importantly, can severely damage brand reputation. If you are interested in learning how to keep your law firm secure from cyber attacks, get in touch with our experts today and request a free network health check worth €2,500.
[fc id='9' align='left'][/fc]
Find out more