EDTS Cyber has the immense privilege and responsibility of working closely with federally regulated industries as a third party auditor and Managed Security Services Provider (MSSP).
The legal industry shares many characteristics with federally audited industries like medical and financial, not the least of which are:
- Valuable data: lost legal records cost firms an average $221 per record 1. Data from legal files can be sold on the black market for $1 to thousands, depending on the nature of the information.
- Heavily targeted by attackers: 24% of law firms surveyed for the 2017 Ransomware Report reported attacks between Q2 2016 and Q2 2017.
Through our independent security assessments of law firms, our engineers have identified a number of cyber security threats common to the legal industry—especially small to mid-sized firms.
Interestingly, only 1 of these 5 threats comes from outside a firm's walls.
1. Password Apathy
One of the most common mistakes law firms make is to assume individual staff members are changing admin passwords to their own quality passwords (and refraining from keeping them in a conspicuous location, like a sticky note on their desk).
Without guidelines on password complexity, password expiration, or account lockouts, your accounts are vulnerable to brute force attacks that can result in access to confidential client or case information (including PII and PHI), account numbers, and more.
2. Mishandled Electronic Files
Do you ever see an electronic case file on your partner's personal laptop?
The legal profession is unique in the amount of data processing and mobility required of its workers; it's easy to blur the boundaries of data access and storage during late night work sessions from the home office.
Even so, data must be structured in a way to ensure that it can only be seen by the eyes allowed to see it. The principle of least privilege and network / hard drive encryption are vital steps in securing data.
In addition, all data your firm owns should be within the reach of protective backups and security monitoring measures.
In a study of more than 200 law firms1, it was found that only 27% had implemented Data Loss Prevention (DLP), which is technology that scans any electronic record that is downloaded or sent from your firm for sensitive data, like PII, PHI, and SSNs, blocking the transmission of sensitive data.
3. Undiscovered Privacy Infractions
In the same study mentioned above, it was found that 66% of firms had already experienced a breach.
We have seen a similar frequency in unauthorized data access that had gone unnoticed until we performed an assessment.
In our experience, data privacy violations most commonly result from insider error; however, we see plenty of past malware infections. These attacks will only increase in the years to come.
Law firms should be particularly wary of high-volume phishing attacks, which don't discriminate by firm size or industry but rather count on the sheer volume of attempts to achieve success with someone, somewhere.
4. Limited Awareness of Today's Cyber Threats
Speaking of phishing, this favorite method of hackers is often underestimated by legal teams that overly trust their spam filters and firewalls. While some automated attacks (using familiar threats) may be blocked, hackers are highly motivated by the high going price of private information to circumvent these measures.
Spear-phishing, for example, is becoming an effective tactic of hackers looking to circumvent employees' suspicions while also getting them to comply with an urgent request. In these attacks, the hacker researches your corporate structure and vendors and sends an urgent email "from" an executive in your company requesting a money transfer, "forgotten" account numbers, employee PII, etc.
Twice annual security awareness training is economical and practical (often able to be done completely online). Empower every member of your team to defend against the attempted exploitation and extortion of your firm.
5. No Documented, Enforceable Cyber Security Policies
Most law firms don't document cyber security policies because they trust their team to use common sense. Today's hackers, however, circumvent our common sense by appealing to deeper tendencies to listen to urgent, authoritative requests for help.
How can you keep employees for falling for increasingly clever spoofs and scams? Documented, enforceable policies help your employees resist, for example, a text from your cell number urgently requesting they help you out by making a wire transfer while your hands are tied "in a meeting with a client."
Due diligence in response to these threats looks like an enforced policy that states clear guidelines for evaluating any requests to click, download, enter credentials, or account information .
Good policy, coupled with security awareness training, helps overcome your employees' vulnerability to threats that prey on their good nature.
Does your law firm need a fresh commitment to data security?
Not only is a solid cyber security policy a way to protect your clients, solicitation of security policy documentation is going to become more frequent as compliance regulations heat up.
Our audits and assessments are extremely thorough, fully documented, and often uncover problems even seasoned IT staff overlook.
Whether you have questions about your current cyber security posture, are preparing for an audit, or are simply looking for independent verification, EDTS Cyber is the company businesses and government entities turn to.
2016 Cost of Data Breach Study" Global Analysis. Ponemon Institute Research Report. Print.
Law Firm Cyber Security Scorecard Q1 2017. LOGICFORCE. www.logicforce.com. October 2017.