Lawyers Still Lag in Information Security Risk Management
The frequency and scope of data breaches are growing every day. Hackers have set their sights on law firms because of the treasure trove of valuable data they hold. News of cyberattacks against the legal community has been splashed across the covers of business publications and warned about by professional organizations for a number of years, so this isn’t anything new. What is astonishing, however, is that law firms are still lagging behind with respect to insurance coverage for cyber risks and the implementation of other reasonable and expected risk management protocols.
Phishing for lawyers. Firms that are engaged in merger and acquisition activity, in particular, are being targeted by hackers to access nonpublic information for insider trading purposes. In March 2016 the Federal Bureau of Investigation issued a private industry notification warning law firms that “[i]n a recent cyber criminal forum post, a criminal actor posted an advertisement to hire a technically proficient hacker for the purposes of sustained access to the networks of multiple international law firms.”
Ransomware, a type of computer malware that installs covertly on the target’s device, has sharply increased. This type of cyber risk threatens to attack or hold hostage a computer system or publicly release confidential information for the purpose of extorting money from the targeted entity.
E-mail phishing is the most common and simplest method that hackers use to gain access to a computer network and infect the system with ransomware. Targeted phishing attacks, known as “spear phishing,” have become more sophisticated. Attorneys and their staff are duped on a daily basis. Hackers trick the e-mail recipient into downloading an infected attachment or clicking on an embedded link to gain access to the network. If the link or attachment is opened, the computer is infected with dangerous malware. The sender of the fraudulent e-mail may impersonate a trusted source, such as a client, colleague, or in-house tech department.
Solo and small firm vulnerability. Solos and small firms are being caught up in “automated phishing attacks.” With an automated attack, hackers broadcast phishing e-mails to random e-mail addresses that have been “scraped” by web robots from millions of web pages. It has been reported that 62 percent of all malicious attacks involve small- to medium-sized companies, which typically spend less on network and information security and are considered to be soft targets by the hacking community Cyber tips best practices for reducing risk. Comprehensive network and information security risk management includes the following:
- Implement reasonable network security protections. More is needed than improved firewalls and perimeter blocks to stay ahead of hackers.
- Use encryption. Whenever data is encrypted, its potential value is significantly diminished. When the value is reduced, the likelihood of a thief taking the data decreases, which is known as “risk mitigation.”
- Undertake third-party assessments. An organization should have a third-party vendor.
- Conduct an annual risk assessment of the organization’s infrastructure and privacy practices to ensure that the entity follows industry and regulatory protocol.
- Hold third-party vendors accountable. All third-party vendors that support law firm information systems and data must be held accountable through contractual agreements backed by a promise to pay.
- Employees are the first line of defense. The best defense to compromised data is well-trained personnel, including attorneys, IT professionals, and staff.
- Comprehensive written employee policies to manage information security expectations, such as the regulation of passwords, e-mail, digital data, cloud computing, social media, and non-work-related browsing, and the use of personal devices, are key for minimizing risk.
- Shifting financial risks to cyber insurance. While attorneys recognize cyber risks, many still are not buying insurance. Two possible reasons are because they mistakenly believe there is coverage under other policies, or they are deterred by the perceived cost.
Conclusion. No law firm — irrespective of size, geographic location, or expertise—is immune from this threat. Clients are requiring law firms to do what they should have been doing all along: invest the capital necessary to implement reasonable network security protocols and better protect sensitive information. A failure to do so will jeopardize existing client relationships and future business.