80 percent of the largest law firms in the United States have experienced a malicious breach.
With cyber attacks increasing, law firms are perhaps the largest target of cyber attacks in 2018. The pressure is on for these firms to properly safeguard their information, and covet the attorney-client privilege. As so many businesses close their doors due to the proliferation of malware and data breaches, businesses are starting to realize the importance of proactive cyber defenses. There is an immediate concern for organizations of all sizes, across all industries, but law firms have found themselves to be particularly susceptible.
59 percent of all email directed at law firms was classified as phishing or spam messages resulting in credential theft, ransomware, or “CEO fraud.”
According to a CNA Professional Counsel bulletin, roughly 80 percent of the largest firms in the United States have experienced a malicious breach. Chew on that for a moment – not only were they targeted, but 4 out of 5 were successfully breached!? Even laymen understand that horrendous statistic. Just in 2016, one security consultancy found that over 10,000 network intrusion attempts were detected per day between a mere 200 law firms. The same study found that 59 percent of all email directed at these law firms was classified as phishing or spam messages resulting in credential theft, ransomware, or “CEO fraud.”
Corporate clients are beginning to take a more active approach in whom they conduct business with. They want to feel reassured that these law firms are hardened to these kinds of attacks. As such, IT security and data management audits are increasingly being treated as prerequisites to doing business.
48% of law firms had their data security practices audited by at least one corporate client in the past year.
"These corporate audits will continue to increase in volume and complexity, leaving law firms with no choice but to comply or lose business. This bares a stark resemblance to the way law firms begrudgingly complied with the corporate demand for alternative fee arrangements, which are now the industry norm."
Firms of all sizes are experiencing more cyber attacks and the costs associated with those attacks are rising. Furthermore, law firms are attacked from many angles and with many different types of attacks. In a study Augury IT conducted in 2016, each US-based public IP address is hit with a rogue request or intrusion attempt every 2.4 seconds. That amounts to over 13 million per year. And these are nondiscriminatory attacks that everyone gets hit with. Add to this the directed attacks on Law Firms and the picture becomes clearer – negligence is malpractice.
The three primary reasons may seem obvious but the details could surprise you:
The NotPetya attack on global firm DLA Piper made headlines around the world last summer when it crippled the firm’s Washington, DC office and put roughly 3,600 attorneys and support staff across 40 countries on lock-down. The incident and related recovery efforts lasted several weeks, during which time telephone service, email, and other vital systems were all affected. In total, it was estimated the attack cost the firm many millions in downtime, lost business, and bad publicity.
While the headlines tend to focus on attacks on big firms, that's not to say attacks on smaller firms are not — only that they're going underreported. Last year's attack on Moses Afonso Ryan, a 10-attorney firm in Rhode Island, is a good example that helped shed light on the amount of damage and disruption malware can trigger inside small practices. It, too, garnered news coverage, but only after the firm sued its insurance company for failure to pay its claim for lost business.
Hit with ransomware, the firm had trouble acquiring the required cryptocurrency to pay the ransom. Even when they finally paid the $25,000 bounty, it was after the deadline imposed by the attackers, and their files remained encrypted. The incident left all 10 attorneys at the firm unable to bill for a single hour for three months, resulting in $700,000 in lost business.
PS: Paying the bounty should never be an option. Because then, you bankroll the attacker's operation for several months, and they still own your network and sell your data (including credentials/passwords) on the black market.
A recent study from the Ponemon Institute estimates the average cost of a successful malware attack has reached $5 million. But the reality is, most law firms have no idea what such an event might cost. Nearly three-fourths of firms have not assessed the potential cost of an internal data breach and 62% have not even estimated lost revenue.
Ponemon Institute has also pegged the cost of a breach at $141 per record. With California’s recent Consumer Privacy Act, the penalties, alone, could amount to up to $750 per record. Considering that even a small firm might have thousands of data records, it’s easy to see how the cost can escalate quickly. That's not to mention the fact that downtime caused by malware incidents equates directly to lost productivity and revenue.
In addition, reputation damage can be substantial. Just ask the Panamanian firm Mossack Fonseca, whose involvement in the now-famous Panama Papers leak “resulted in unwelcome publicity to the firm and its international clients, whom the Panamanian lawyers had apparently helped set up offshore entities to evade their respective countries’ income taxes on eye-popping wealth,” according to a Law.com report.
However, firms don’t even need to experience a breach to suffer damages. A class action suit against the Chicago firm Johnson & Bell alleges that the firm committed malpractice by failing to maintain adequate cybersecurity standards. According to the federal complaint, “Johnson & Bell has injured its clients by charging and collecting market-rate attorney’s fees without providing industry standard protection for client confidentiality.” The suit alleges class representatives were damaged by the risk that their information could be compromised, pointing out that no information was actually compromised.
With mounting evidence pointing toward the growing risk, it's imperative for law firms to move quickly to step up their defenses. "Law firms can only expect to be held to an increasingly higher standard of data security if they want to continue to do business with their existing, as well as prospective, corporate clients in the future."
The good news is there are several clear, practical steps firms can take that can yield immediate results:
Anyone reading this article should recognize some of the defenses above. But while any one of them is certainly not enough to consider yourself secure, when they are compounded and synergies are formed, providing redundancy to your security landscape, it becomes clear to see how we can begin mitigating large portions of an overall attack surface.
Establish formal policies: Cybersecurity policies, incident response plans, and disaster recovery procedures can expedite your recovery in the case of an event. Establishing these policies is critical for creating a foundation which you can build on through execution, training, auditing and more.
Make cybersecurity training mandatory for employees: Fewer than a third of firms have mandatory training for employees. This is low-hanging fruit. Your employees are a crucial line of defense against the most successful directed attack vectors – Social Engineering / Spear Phishing. There is no reason not to train your teams to work smarter and be on the lookout for scammers.
Conduct port scans to see what is exposed: Email may be the most common way attackers get malware onto victim systems, but there's another well-worn path that arguably provides attackers with even easier access — scanning the Internet for systems with open ports that are exposing Remote Desktop Protocol (RDP), virtual network computing (VNC), or other remote administration services, and hijacking those services to get access to victim servers. IT teams should use scanning tools like Nmap, masscan, and Shodan to see if their networks have any of these services exposed. Attackers are already doing so, so it's well worth taking a few minutes to see your network through their eyes.
Tap into available resources: The American Bar Association offers a comprehensive cybersecurity guide for law firms, which includes both prevention and response tactics.
The surefire way to protect your practice, clients, and livelihood would be to contract talent whose core competency is to safeguard your data. You can start today with a brief cyber security / risk assessment at no cost to you. Contact us at [email protected]