Hacking is becoming a bigger and bigger problem for every industry globally, with cyber attacks in 2017 happening at double the rate of 2016. As sites set up in the early days of the internet become outdated and cybercriminals get quicker at finding gaps in the defences, data breaches are an inevitability. But some companies are a more attractive target than others, and law firms are amongst the hardest hit.
The most infamous example of a data breach at a law firm was the Panama Papers leak. A team of journalists from ICIJ were able to extract more than 11.5 million documents – or 2.6 terabytes of data – a scale never seen before or since. The impact of releasing this information leaked from Mossack Fonseca was also of a mammoth scale: millions of dollars of unpaid taxes were seized from various firms; the Prime Minister of Iceland resigned in disgrace and across 400 companies, $135 billion was lost in value as a result of the damage to reputation. Watching the Panama Papers spectacle unfold on the world stage made it evident to every shocked onlooker: law firms’ files hold the juiciest secrets.
These secrets can take the form of all kinds of valuable information, such as financial records, business contracts, even personal data like social security numbers and addresses. So what do hackers want with this information?
- Business intelligence that they can sell to competitors
- Holding the information for ransom – demanding extortionate fees in return for not releasing the data, which would damage the firm’s reputation and land them with fines from the ICO.
- ‘Hacktivists’ – politically motivated groups or individuals – may want to expose data for ideological reasons. For example, Anonymous exposed emails between HBGary Federal and Hunter Williams in retaliation against their disruption of WikiLeaks.
- Malware can shut down a law firm’s systems, causing expensive and embarrassing down-time. Using this ransomware, hackers can demand vast sums to give back control of the firm’s servers.
Oz Alashe, cyber security expert and CEO of CybSafe explains, “The fallout of a data breach can be roughly divided into two consequences: financial and reputational. Whilst law firms may, of course, be subject to immediate fines from the ICO or other regulatory bodies, firms also suffer long-term reputational damage caused by a data breach. In the legal industry, where client confidentiality is sacrosanct, reputational damage often leaves a longer lasting scar than any fine.”
The threat is severe and the stakes are high, but experts argue that law firms are not doing enough to protect their clients and themselves against cyber attacks. Oz Alashe warns that “Unlike other high cyber risk industries, such as the financial sector, there remains a degree of complacency in law firms across the country as far as cyber security is concerned. Whilst the majority of businesses recognise the importance of stringent cyber security controls, there is an element of ‘it won’t happen to us’ that afflicts some law firms.”
The problem, of course, is that it does happen to them – with alarming frequency. A PwC survey found that in 2015, 62% of law firms have been victims of cyber attacks. In a recent report by Logicforce, every law firm they assessed had been targeted for sensitive information, but 40% didn’t even realise. In fact, figures from the NCSC reveal that only 35% of law firms have a mitigation plan in place in the case of an attack, and according the the American Bar Association, less than 10% of employees know if their firm has security policies in place.
The failures of the law industry’s infosec can be traced to certain cultural traits shared by most law firms. A prevailing view is that data security belongs to the ‘IT department’ rather than being a firm wide responsibility, which makes the industry particularly vulnerable to human error due to a lack of awareness. Phishing attempts are one of the most common means of spreading malware, with AI able to replicate the writing style of clients, friends, family members and senior board members alike. “An astounding 12% of firms claim to be recipients of such attacks on a daily basis,” says Oz. “In a cyber security landscape dominated by human threats, which account for some 75% of data breaches, educating staff and changing their behaviour should be a firm’s number one priority.”
While this is certainly concerning for the clients of law firms, stricter regulation is on its way. When GDPR comes into effect in May this year, this could land law firms with huge fines for failing to take due diligence with their data security or failing to report a breach. Oz has been working with a number of law firms to prepare: “Law firms are data processors (and arguably controllers) and so are acutely affected by the terms of GDPR. Abiding by GDPR legislation means that across the entire firm (including IT, marketing, and business consulting), staff need to be aware of new policies and execution of any changes.
“Education is key, but training needs to be thorough. A tick-box approach to GDPR compliance training will not suffice as the potential impact is too great.”
Slowly but surely, the law industry is beginning to understand the full ramifications of not prioritising their cyber security. Many of the successful cyber attacks are entirely preventable: the Panama Papers could have been avoided if Mossack Fonseca had not failed to update its Outlook Web Access login since 2009 and its client login portal since 2013. According to PwC’s survey, 97% of attacks still target well-known data security weaknesses, showing that a proactive attitude can go a long way towards protecting against hackers and malware.
CybSafe are just one company helping law firms to shore up their cyber defences. “More enlightened firms are addressing the way they improve human cyber risk. The extent often depends on the resources they have available, but law firms are increasingly realising they can’t take this area lightly,” says Oz.
With more importance being placed on data security as an integral part of business continuity and preparedness, we can expect to see a huge investment in infosec within law. Innovation is constantly happening on both sides of the dark web Iron Curtain, and better solutions, such as artificial intelligence, are on the horizon. “AI and machine learning present exciting developments in technology that are already helping to counter cyber security threats,” says Oz. “Law firms are increasingly taking advantage of these advancements in technology in their attempts to better secure their data.”
Law firms, although historically behind the curve when it comes to data security, are waking up to the risks of cyber attacks. Those that wish to keep a reputation for discretion and competence are prioritising staff training, privacy practice reform and software upgrades, and despite there being no such thing as “impenetrable” when it comes to data anymore, it seems there are many in the law industry who are determined to do better.
YUDU Sentinel is an app based crisis communication platform for the management of fire, terrorist and cyber attacks, or any other critical incidents. Crisis managers have immediate access to an independent two-way communication (SMS, voice, email and in app messaging) and can view key documents on mobiles. Sentinel is a cutting edge crisis management tool. Find out more at www.yudu.com/sentinel or contact us on Twitter @YUDUSentinel.