Law firms have been urged to do more to improve their cyber security measures, as these companies have proven to be tempting targets to criminals, due to the sensitive nature of the data they handle and frequently lax protections.
It was noted in a recent article by Bloomberg that the risks are not only limited to smaller firms with small cyber security budgets. It highlighted research by cyber security company Mandiant that revealed 80 of the US' largest 100 law firms by revenue have fallen victim to hackers since 2011, for a variety of reasons.
For example, the publication noted that in 2012, Washington-based firm Wiley Rein came under attack from hackers linked to the Chinese military, due to a trade dispute it was handling on behalf of a manufacturer of solar panels. Meanwhile, last year, McKenna Long & Aldridge reported the loss of social security numbers and other employee data when one of its vendors was targeted.
One particularly troubling threat that has emerged in the last couple of years is that of 'ransomware', where hackers gain access to a system and then encrypt files, before demanding payment for the decryption key. This could be particularly troublesome to law firms if critical information is rendered unreadable.
The FBI, the US Secret Service and other law enforcement agencies have all issued warnings about the risks facing this sector. They stated that computer files are targets for cyberspies and thieves in China, Russia, and other countries, looking for valuable information about potential corporate mergers, patent and trade secrets, litigation plans, and more.
Chad Pinson, a managing director at Stroz Friedberg, a New York-based cybersecurity firm, told Bloomberg the scale of the problems is significant. He said: "If you’re a major law firm, it's safe to say that you've either already been a victim, currently are a victim, or will be a victim."
But despite the dangers, many law firms have not given cyber security the attention it deserves. Companies frequently underestimate their exposure to risk, or assume that the defences they have in place will be sufficient. This leads to an insular approach, where information about new threats is not shared and law firms remain unaware of potential new vulnerabilities.
Indeed, at Encode, our tests have frequently demonstrated that advanced persistent threats will get through law firms' defences - and it will not typically take more than a couple of days to gain full access to a network. Even if a firm's networks detect and prevent the majority of attacks, all it takes is for one to be successful and the entire business will be compromised.
Bloomberg noted that the complacent attitudes shown by many law firms is starting to change, although this is being driven mainly by the demands of clients. For instance, many Wall Street banks, such as Bank of America and Merrill Lynch, will now require detailed explanations of what potential legal partners do to mitigate risk before they will do business with them.
These organisations typically require law firms to fill out questionnaires of up to 20 pages about their threat detection and network security systems, while some clients are even sending their own security auditors into firms for interviews and inspections.
Scott Angelo, chief information officer at law firm K&L Gates, observed: "Firms that are serious about their business are all taking [security] seriously." As such, these enterprises are helping "move the needle" on the importance of strong defences in the legal sector.
He also noted that for the largest businesses, the best protection, while vital, does not come cheap: "If you're not spending seven figures on security, you’re not spending enough," he said.
Protecting critical digital assets is essential for firms in the legal sector. Innovations from Encode, supported by IBM QRadar, can give these firms the protection they need to defend their networks and reassure their clients.