No matter the size or type of your legal firm, you undoubtedly work with sensitive client and financial data. Keeping this information confidential and secure is critical for your operations and reputation, yet the risk of a cyberattack on your firm is a very real and present threat.
The American Bar Association states that security breaches against law firms are becoming so prevalent that, “it’s when, not if a law firm or other entity will suffer a breach.” According to a 2017 technology survey, also from the ABA, 22 percent of respondents reported that their firm experienced a data breach at some point, up from 14 percent the previous year.
Why are law firms such a target? Many firms, especially young ones, operate with shoe-string budgets and limited IT resources, resulting in less-than-stellar cybersecurity practices. Even with such highly sensitive information at play, many firms lack needed protections. A 2018 study reported that more than 60 percent of the top 100 law firms did not meet minimum levels of security to safeguard themselves against an attack.
The question you’re probably asking right now is, what can be done? Read on! We not only highlight the top threats you face, but also present a few actions you can take to better protect your firm today and in the future.
1) Phishing Hole
Phishing is a primary concern and risk for today's law firms. A phishing attack is where a hacker attempts to obtain financial or other valuable or confidential information by sending fraudulent emails or notices to people in your firm. Phishing is a form of “social engineering”, meaning it’s a manipulation tactic in which attackers pose as someone known or trustworthy in an attempt to solicit access or information.
The ABA estimates that nearly one quarter of law firms (with a staff of 500 people or more) suffered a breach in 2017, and that number has likely grown in recent months. Among these attacks, over 90 percent began with a phishing email.
Not only is phishing a threat for your firm, the fraudulent messages may also appear to originate from your company and put your clients at risk. In a recent incident, clients of a Colorado law firm were sent an email that seemed to come from the firm. Clicking on the email took the clients to a phishing website.
How do I mitigate the threat of phishing?
The first step to protect your firm is to install the right security software. This includes an up-to-date antivirus program that is installed on all systems, including mobile devices. Another good practice is to install multi-factor authentication on your accounts.
Another tip is to train your staff on the basics of cybersecurity. This includes learning to recognize some of the common signs of a phishing email. These can appear to be a legitimate email from your company or a trusted partner, individual, or vendor. Common messages may be about reporting suspicious activity, sharing a fake bill or invoice, asking for a payment or offering a coupon, or stating a problem with your account. . (For more, here’s a few ideas for effective cybersecurity training at your firm.)
And, of course, always back up your data and information. This will help you recover your information and reduce downtime in the event an attack does occur.
2) Spoofing (It’s Not Just a Funny Movie)
Spoofing is another threat facing your law firm. While phishing is an attempt by attackers to retrieve information from your firm, spoofing is an attempt to deliver an attack and trick your staff into performing dangerous actions, like unknowingly downloading malware. As with phishing, spoofing attempts are often disguised as legitimate-looking emails from trusted sources. Today, spoofing attacks can be quite refined; often they include official-looking language, graphics, or websites. Not surprisingly, this can make it quite challenging to minimize the risks of a spoofing attack among your employees.
A report from the U.S. Securities and Exchange Commission investigated the security controls of nine businesses that were spoofed, with emails originating from either impersonated executives or vendors. In many cases, the spoofing emails stressed a need for secrecy and urgency and inquired about transaction and financial details. One finding from the report is that “every type of business is a potential target,” including law firms.
How do I mitigate the threat of spoofing?
To best protect against spoofing and other risks, your firm should immediately assess your IT infrastructure and the protections it has in place. (Here’s more on how to perform an assessment and why it’s so critical.) Your firm should also make sure you use Domain-based Message Authentication and Reporting Conformance (DMARC) technology to actively block phishing and spoofing attacks. A DMARC policy can safeguard your firm by either blocking malicious email from reaching your inboxes or quarantining it via a spam folder.
You should also help your employees learn to recognize the red flags associated with spoofing attempts. McGuireWoods, for example, provides best practices on its website to help staff stop better defend against spoofing attempts.
3) Virus, Spyware, and Malware Attacks, Oh My!
In addition to phishing and spoofing attempts, there is also malicious software designed to perform damaging operations on your computers and IT infrastructure. This includes malware such as viruses and spyware.
Viruses are dangerous because they are replicable; viruses can spread quickly and easily without being detected, causing significant destruction. Spyware is a malicious program that can “spy” and obtain confidential information via your computers (including your webcam). Both can be used to steal sensitive data and can exploit vulnerabilities on your endpoint security, including both desktop and mobile devices.
For example, this year, two law firms fell victim to the GozNym malware attack, just one of many such attacks that happen every year. In Washington, DC, a staff member of one firm clicked on a link in a phishing email which infected the computer and provided access to the law firm’s banking account. The result was a loss of more than $75,000. In Massachusetts, another law firm had its login credentials captured by the GozNym malware, which was then used to transfer funds to an account controlled by the attacker. The result was a loss of more than $40,000 for this single incident.
How do I mitigate the threat of malware?
Your firm must take steps to protect all of your devices, including desktop and mobile, as well as all access points in your network. As with other threats, install modern and robust anti-virus and anti-malware software on all devices and train your staff on the dangers of using public WiFi systems.
We can help!
As your firm turns the last calendar page on 2019, resolve to start the new year in a safe and secure way. Embracing and implementing the right cybersecurity solutions and best practices is the best way to mitigate the risk of an attack on your firm. Take immediate and practical steps to make sure any anti-virus or other software programs you use are up to date and properly installed. Plan an all-staff meeting or newsletter in early 2020 to remind people of these threats and provide the necessary tools so that your team can be your first line of defense.
You may discover that partnering with a reputable third-party provider is the most affordable and effective path to protect your firm. The right firm can help with everything from selecting the best software to training your staff on cybersecurity prevention. A trusted cybersecurity partner can also conduct a full audit and robust assessment of your IT environment to uncover security vulnerabilities and pinpoint issues that open your operations to attack. Some firms will charge a fee for an IT assessment, others may offer it at no cost and with no commitment.
Just remember, acting today presents your best opportunity to make changes and improvements that will protect your business tomorrow. When your confidential legal information is secure, you are freed up to focus on what really matters: your clients, your firm, and your bottom line. Please get in touch with us anytime to talk about how to ensure that your firm is safe and secure in the new year.