Sarah woke up typically early. A partner at her law firm, she had another late night of work on a complex case involving a major international consulting firm – her client – who was suing an energy company run by an infamous Russian oligarch. Sarah loved her work and didn’t mind the long hours. She checked emails on her phone as she made her morning coffee, scrolling through the dozens that came in overnight.
She opened one that seemed to come from someone at her client’s firm that she didn’t know. The email said the sender was an administrator at the firm and was looking to set up a conference call later in the week, referring to a specific aspect of the case – and to click on a link to choose a time that worked for her. Sarah clicked on the link, her phone flashed oddly, but she wasn’t taken to a calendar. Assuming it was a faulty link, Sarah forwarded the email to her assistant asking her to get to the bottom of it and set up the meeting.
When Sarah got to the office, she was greeted with the news that the email wasn’t from anyone at her client’s firm – it was a deceptive email from a hacker. The hacker had created a very similar address (upon closer inspection there was an extra letter in the address), had the correct email signature, and clearly had insider information about the case. Sarah – though trained to avoid phishing techniques – assumed that any message from her client was safe. Now, the firm was under attack.
Welcome to the wave of the future. A study by the American Bar Association reported that nearly 30% of law firms experienced a cybersecurity breach, and almost 40% reported past malware infections in their systems. Law firms represent excellent targets for hackers, and some of the biggest firms in the world like Cravath, DLA Piper, and Weil Gotshal have been victims. In Germany, CMS has been hit in 2021.
Hacker’s skills and means are evolving rapidly
The threat goes well beyond highly publicized instances of ransomware. While ransomware attacks can be disruptive and expensive, more sophisticated attacks by hackers to acquire proprietary data on sensitive cases can have an enormous impact on law firms, who are, after all, required to safeguard client data. Hackers are also applying more advanced techniques when it comes to stealing money and other assets from law firms.
Hacker’s skills and means are evolving rapidly. Utilization of advanced artificial intelligence and deep fakes are becoming more common, and that trend will likely continue. Law firms need to evolve together with these threats and understand how much of a target they are. They must also understand that law enforcement is too over-stretched and underbudgeted to deal with this threat. Proactive measures must be taken by law firms to implement measures to avoid an attack and have plans in place should one pierce their defenses.
Law firms have thus far been slow to recognize the threat and take the necessary steps.
The 2020 ABA Legal Technology Survey Report noted that only 40% of respondents use file or email encryption, intrusion prevention, and two-factor authentication; only a quarter have intrusion detection measures in place.
While having the right technical partners for cybersecurity is the first step, that is only one that law firms should be taking to manage this growing risk.
Crisis management plan
Most attorneys are not particularly knowledgeable when it comes to these risks, so setting up a cybersecurity committee within the firm that will regularly discuss the changing risk landscape and what steps the firm is taking to manage it is a good idea. This committee should not only look at defensive measures to stave off an attack – including regularly educating its staff to stay up to date on the evolving threat landscape – but also set up a crisis management plan should the firm be attacked.
This crisis management plan should include a security partner that can work with a law firm to mitigate the fallout should a law firm find its cyber defenses breached. Steps can be taken to identify the IP address of hackers, review metadata, and evaluate other details from the attack (such as language used in any message to the firm) to ascertain who the hackers are. Experienced security partners typically have relationships with law enforcement who can compare notes on similar occurrences and take steps to prevent future attacks.
A study by IBM noted that the average cost of a law firm data breach is $3.9 million and looks at a variety of metrics of how such a breach can impact a firm, including cash or other stolen assets. If money or other assets have been stolen, there are ways to trace the assets and finances that can potentially lead to recovery. If personal information is stolen, part of the crisis plan should include a security partner utilizing their experience on the Dark Web to see if the information is being sold and implement a remediation plan.
Take action now
Yet a report by PwC noted that “only 22% of Top 100 firms have a cyber committee that reports to the party charged with governance” – a glaring hole in the risk management practices of law firms. Smart law firms should prepare for a future of clients asking hard questions about their cybersecurity infrastructure before they entrust law firms their sensitive data. A reputation for ensuring confidentiality is so critical for the work of any law firm and any dent in that reputation can be an existential risk. Taking steps today to plan for the attacks of tomorrow can safeguard the future of any law firm. What are you waiting for?