♫ Listen
Do you want to know a secret
Do you promise not to tell, whoa oh, oh...♫
– Music and Lyrics by Lennon-McCartney, recorded by The Beatles
We don't have to worry about being hacked. We are one of the biggest law firms and have a whole department concerned with IT Security.” However, Bloomberg Law reported that Mandiant, a cybersecurity firm has stated that 80 of the 100 biggest US law firms have been hacked since 2011.
We don’t have to worry about being hacked. Hackers only go after the big fish, not us.” But, The New York Times reported that 60% of all online attacks in 2014 targeted small and midsize businesses, according to Timothy Francis, enterprise leader of cyberinsurance at Travelers.
The fact is that while large law firms can throw considerable resources at cybersecurity, hackers are also throwing large resources back at them seeking valuable confidential information for resale on the black market. After all, information is money. Smaller law firms are also targeted on the basis that they are easier to attack and criminals can demand quick cash by holding a law firm’s data hostage. Such ransomware attacks are high in volume and don’t require any middlemen.
In Law Firm Data Hack, Part 1 in lawpracticetoday.org, Sharon Nelson and John Simek stated that: “Nearly 50 law firms were targeted by a Russian cybercriminal who posted on a cybercriminal forum seeking a hacker to collaborate with him. He hoped to hire a black-hat hacker to handle the technical part of breaking into the law firms, offering to pay $100,000, plus another 45,000 rubles (about $564). He offered to split the proceeds of any insider trading 50-50 after the first $1 million.”
Cynet.com reported that a Providence law firm was held hostage for a $25,000 ransom. However, the decryption key initially failed to work and the firm had to pay more. It lost $700,000 in billings alone.
Large or small, a law firm’s secrets, reputations and finances are placed at risk in a hack. As a result, managing partners of all sizes of law firms have yet another thing to worry about.
There are two major components to law firm security. One concern is the vulnerability of the system’s hardware and software. The other concern is the vulnerability of the “carbonware” – or in other words, the humans using the system.
According to LexisNexis, there are six key security steps for law firms to take.
The first is to put all your IT security policies in writing and hold training sessions around them to maximize security awareness for all employees. The second is to inventory all your data and detail who has what permissions or control over the various parts of the system. The third is to only grant access on a “need to know” basis. That way, even if someone’s credentials are hacked, the hackers don’t get access to your entire system. Fourthly, keep all your systems updated and patched. I am amazed at the number of lawyers who are still using outdated browsers, operating systems and anti-virus suites. Fifthly, ensure that you have adequate insurance that will cover you depending on your loss (see Insurance Issues: Risk Management, 2017: No. 2 Summer – a Guide to Insurance for Private Practitioners by the Law Society of BC). Lastly but not least, have a “breach ready” response plan so you have pre-planned how to respond if you experience a cyber breach. The boy scouts’ advice on “Being Prepared” applies here!
By taking steps now, you can diminish the possibility that your reputation and financial well-being will be damaged by a hack. After all, you don’t want someone asking if someone wants to know one of your secrets....