Law firms and their clients’ sensitive information are a treasure trove for hackers. They not only hold valuable client information but also are regularly emailing attachments to clients, providing a possible means to get into client systems.
Law firms are seen as high-value targets for the rapidly growing use of ransomware and extortion schemes because they have historically weak defenses and are seen as able to pay large sums.
Here are some recent high-profile cyberattacks in the legal industry:
According to the BitSight’s Fourth Annual Industry Index Report, Legal service providers are arguably one of the most widely used third parties across the world, supporting some of the world’s largest banks and other well-known organizations. To steal intellectual property, trade secrets, and other sensitive information from companies with strong security measures, cyber criminals may target their outside counsel rather than the company itself.
Hackers attack legal providers because they may have weaker security measures in place. Compared to other industries examined, BitSight finds that companies in the Legal sector actually have high-security ratings and low rates of vulnerabilities that could lead to man-in-the-middle attacks. Despite these findings, the industry remains a key target for cyber criminals.
The Legal sector had the second highest percentage of companies with a security rating of 700 or higher, only trailing Finance and in-line with Retail.(BitSight Security Ratings measure the security performance of organizations. These ratings range from 250-900, with a higher rating indicating better security performance.)
More than 60% of organizations examined from the Legal sector are exposed to DROWN, a major SSL/TLS vulnerability.(DROWN is a vulnerability, discovered earlier this year, that could allow a criminal to decrypt secure communications and potentially expose information sent over HTTPS, such as passwords, usernames, and credit card details.)
Update web server configurations
IT security teams should update their security protocols and ensure that the most recent patches have been implemented across the network.
Invest in training for employees
Employees should be aware of the cyber risks they encounter when surfing the web. Clicking on suspicious online ads, for example, can introduce vulnerabilities into the network. More on cybersecurity awareness training.
Continuous security monitoring
Teams should strive to continuously monitor the cybersecurity posture of their law firms and other legal service providers (alongside other critical vendors) to ensure that no new threats emerge through these third parties. More on continuous monitoring.
Establish cybersecurity benchmarks
Organizations should establish security benchmarks to help them take appropriate action depending on changes in the security posture of their own organization or their critical third parties.
Discuss cybersecurity with Board of Directors
Successfully protecting an organization from cyber attacks requires a team. Organizations should add cybersecurity to Board-level discussions.