While cyberattacks are increasing, many experts see them as mainly preventable by simply adopting a ‘zero trust’ policy.
The vast majority (84 percent) of law firms have increased their IT budgets in response to last year’s boom in remote workforces, according to a recent report from Georgetown University. The new demands of managing a remote workforce have seen law firms adjust their budgets to implement new technologies and platforms to make the transition smoother. However, these same solutions can result in an increased risk to their cybersecurity.
Along with face masks, social distancing and Zoom meetings, the pandemic also brought with it a surge in cyberattacks. Cybercriminals saw the trend of remote workforces as an opportunity to exploit the new challenges that many businesses started to face. In fact, the FBI reported a 500% increase in cyberattacks since the start of the pandemic. That same report detailed that most attacks were targeted at SMBs, a category that most law firms fall under.
Law firms Goodwin Procter and Jones Day experienced recent data breaches in the form of an attack on their file transfer system — one that is used by a majority of legal professionals to share sensitive documents. The cybercriminals targeted this system for access to sensitive data, such as financial information, that can then be sold on the dark web or used to extort a company or individual.
The Coveware Q1 2021 Ransomware Report showed that the average ransomware ransom payment increased 43 percent from $154,108 in Q4 2020 to $220,000 in Q1 2021, and last year a new record was set for the highest ransomware demand when cybercriminals requested $30 million. While these amounts are substantial, the real damage for law firms is the data. Law firms’ value is in their records and confidential information, a ransomware attack can cause major reputational damage.
Even with the financial and reputational threat, many common business practices carried out by law firms continue to make them digital playgrounds for cybercriminals. These business practices leave law firms exposed and welcome avoidable risks to their client’s sensitive data. The four main areas that law firms are most vulnerable and can be corrected are:
- Third-party products
- Sensitive emails
- Vulnerable devices
While utilizing a solution offered by an external provider reduces the stress of maintenance, it can cause some security risks that would be out of your control. Goodwin Procter and Jones Day fell victim to cyberattacks due to a third-party technology created by Accellion. The file transfer system created and managed by Accellion is commonly used by the legal and financial industries, and became the target of a software supply chain hack — this is when hackers manipulate the code in third-party software components which then comprises the internal applications of the companies that use them. This type of cyberattack has become increasingly more common, Microsoft’s Exchange Server recently experienced one of these attacks, which potentially affected more than 30,000 organizations.
These types of attacks are difficult to prepare for as most law firms have limited visibility to third-party vendors’ cybersecurity systems, but there is a way to rectify this. Law firms’ IT teams need to start asking difficult questions to their vendors. These questions should aim to inform the IT team as to whether the vendor provides end-to-end encryption of data — ensuring that sensitive data is secured in transit between a server and a user. It is also important for the IT team to discover which jurisdiction the data will be housed in, as well as if the data will pass through servers located in other states or countries as the laws and regulations surrounding data vary significantly.
Many times, legal and financial professionals send sensitive documents as email attachments; emails are not a secure form of communication. Many email providers such as Google and Microsoft use HTTPS which only provides a basic level of security. It is a walk in the park for most cybercriminals to intercept emails, read the content and download any attachments. This can be achieved by gaining access to emails as they travel from server to server or by scanning an unsecured WiFi network. Even some simple mistakes such as accidentally sending an email to the wrong person can be considered a data breach depending on the state.
Encrypting emails is the recommended method to keep the information secure. There are a plethora of services readily available to encrypt emails, and while many require some extra steps such as downloading an app to access the email, it is worth the effort.
Phishing scams are a form of social engineering that plays on the human error factor of companies. Social engineering tactics aim to get people to divulge confidential information or carry out acts that give access to sensitive data through psychological manipulation, i.e. emailing as the IRS to excite fear and panic. Human errors make up a large percentage of the reasons behind cyberattacks. Phishing attacks are becoming more sophisticated and are now commonplace for most companies. Cybercriminals have mastered how to make the phishing email appear to be coming from a colleague or client, and this is tricking more than a quarter of employees into clicking on dangerous emails. Sixty-seven percent of those who open phishing emails end up submitting their login credentials.
It is important to have periodic training for staff on how to identify and flag these types of emails. This will help to ensure that all employees understand how to spot suspicious and dangerous emails. Another way to tackle phishing scams is to run a penetration test. Simulated phishing attacks is when an external security company tries to hack a client’s network to expose weaknesses and may include sending fake phishing emails to determine which employees are adhering to security policies. Additionally, there are advanced AI based email scanning tools companies can utilize for an added layer of security.
2020 saw a boom in remote workforces, and this boom led to many employees utilizing their own devices for work-based purposes. Staff can unknowingly put company data at risk by connecting to unsecured Wi-Fi networks or losing their devices. While simple steps can be taken to secure devices employees use, such as forcing them to have intricate passwords and regularly updating them, many companies fail to implement such rules. Utilizing a VPN (virtual private network) is a solution that all companies should implement during the remote work trend. A VPN keeps data secure and hidden from prying eyes when employees are connected to their home or a public WiFi. For law firms that operate with sensitive data, the extra step of encrypting hard drives is critical in preventing unwanted access to files.
While cyberattacks are increasing, many experts see them as mainly preventable by simply adopting a ‘zero trust’ policy. This is when companies operate in a way that assumes that hackers have already gained access to the network and therefore nothing should be trusted unless verified. This policy requires vigorous identity management tools and utilizes network monitoring solutions that capture and analyze user behavior to flag any suspicious activity. This policy also requires data to be encrypted and limits the data employees can access to only that which is required for their role, therefore reducing the potential effects of a successful cyberattack.
Law firms are targets for many cybercriminals, and cyberattacks are becoming real problems for legal professionals. It is important for law firms and practitioners who work with sensitive data to educate themselves on how to secure their data and systems from cyberattacks — the National Institute for Standards and Technology provides useful resources and guidelines that can be adopted by law firms to begin creating a robust cybersecurity framework.