Cybersecurity attacks on law firms make the international news cycle with alarming regularity. Who could forget the world’s most extensive data hack (some 2.6 terabytes of information) stolen from the Panama-based law firm, Mossack, and Fonseca, back in 2016? Research from cybersecurity firm, RepKnight, found 1.2 million email addresses on the Dark Web, all sourced from the UK’s top 500 law firms.
Research from cybersecurity firm, RepKnight, found 1.2 million email addresses on the Dark Web, all sourced from the UK’s top 500 law firms. Law firms are a prime target because these businesses, both large and small, carry highly sensitive data; financial information, protected witness statements, medical and forensic records, and more to boot. In fact, the masses of data each and every legal professional holds is a veritable gold mine to nefarious cyber criminals.
According to a study by PwC, 73% of the UK law firms surveyed experienced a data security incident in the year 2016, a rise from just 45% in 2014. Therefore, it is critical law firms reassure clients that their confidential data stays confidential. The consequences of overlooking your security requirements, as a 21st-century law firm, could sink your business in the blink of an eye..
In this post, we will outline five questions about cybersecurity that your clients may be too scared to ask. We will also give you some tips on how to combat the threats to the best of your law firm’s abilities.
The same PwC survey found that virus and malware software, as well as phishing emails, are amongst the most common cybersecurity threats UK law firms face.
Phishing emails are an attempt to steal confidential information from law clients. With these emails, clients will receive a message from what appears to be their lawyer, requesting sensitive data, like bank details. Fraudsters will copy a law firm’s logos, letterheads etc, to make it look like the request is genuine – but it isn’t. From here, an online fraudster can steal money, passwords, even the client’s identity for nefarious purposes. Phishing scammers will also do things like send out an email containing a link to a website. The respondent is asked to sign in to a faked web platform the user may recognise, such as a bar association site. The data is then used by the scammer to log into the genuine platform and wreak havoc.
Secure website filters, firewalls, and antivirus software can detect viruses and malware to a certain extent. However, in many cases, phishing emails can bypass these filters and make it into a lawyer’s inbox regardless. Therefore, it is vital that law firms and customers be educated on this particular threat, with training on how to spot a scam email that may have evaded inbox security protections.
The Link App, as a communication platform, significantly reduces your law firm’s vulnerability to phishing scams as all communications are delivered in a secure channel that is not accessed by scammers. Law firms can sync to their existing case or matter management tools and open a direct Link App channel, bypassing email and messaging services, and instead sending a notification to the user’s smartphone or web portal.
The short answer is “not very secure,” this is especially true of free email service providers such as Google Mail. Earlier this year, Google received much flak for admitting that user’s private information will continue to be sold to third-party advertisers, to improve Google users’ internet experience. From a lawyer’s perspective, therefore, you must ensure that you encrypt all of your email correspondence, and start to migrate away to safer platforms, like The Link App. In fact, all of your firm’s devices should use encryption, including smartphones, tablets, desktops and even USB drives.
A tool like the Link App provides you with a secure communications channel. The 256-bit encryption features provide enough security reassurance to allow clients to transfer sensitive information such as e-signatures, case information, bank details and more.
You should also have a strict email retention policy, where client communications are deleted from your servers within an allotted time frame. Remember, the more information you hold, especially as plain text email data, the more you put your firm at risk in the event of a security breach.
Cloud-based servers are a great way to backup your firm’s information because you can access the files from any device. However, cloud servers are sensitive to evermore sophisticated data hacks.
For this reason, it is important that law firms use secure local backup channels, as well as servers that store data offsite. Additionally, it is a good idea to regularly test cloud systems for data breaches with various ‘ethical hacking’ tactics. Previously, many small and medium-sized firms may have relied on single-point-in-time assessments to mitigate risk; however, this is no longer a sufficient method for protecting against myriad threats.
Regardless of the size of your firm, you need to make sure that you are seeking outside advice on data security, as the ever-evolving threats need monitoring on a full-time basis.
According to Data Privacy Monitor, 37% of data breaches in 2016 were a result of human error.
Aside from falling for phishing scams, information can be stolen by employees within a law firm, or accidentally leaked to outsiders due to an employee’s carelessness. Making cybersecurity part of your company’s culture is vital, and you will need to regularly update your employees on the latest tricks hackers use to steal data. You should also make sure that your firm’s information governance is meticulously planned and executed across all departments.
Limit access to information to just those who need it, and make sure that employees regularly change their passwords. You also need to limit the number of access points and systems holding sensitive law firm data. You can also use your outside information security company to monitor your firm’s online traffic at all times. From the analytic data, security teams can get a real-time image of your firm’s operations. Any irregular data activity can then be quickly identified and stopped in its tracks.
Monitoring your firm’s digital forensic data will also help you identify the causes of security breaches, and rectify any slip-ups more easily.
The impact of a data security breach may not become apparent until months down the line, you may, for instance, be blackmailed or have your client’s private information leaked to the press.
Therefore, in the first instance, you will need your cybersecurity team to identify the scale and source of the data leak. You will then need to look to recover your digital files and think about the many ways in which the compromised data could be exploited. Get in touch with government regulators and the clients that were affected by the hack – do not, under any circumstances, let clients find out what happened to your firm on the evening news.
In the recovery stages, you need to learn from your mistakes and find a data security centre that can inspect your traffic, classify, and curtail malicious traffic before it impacts your company again.
The threat of cybercriminals is very real and will only intensify as technology develops over time.
Perpetually update technologies to make sure you address threats as they emerge. Invest in secure and encrypted communication tools, like the Link App, to help your firm stay up-to-date with the latest lawyer/client communication best practices.