In past years, when law firms suffered data breaches, it was often because they put themselves in the direct crosshairs of powerful and influential adversaries. For example, four years ago a Chinese group hacked into the files of the Washington D.C.-based firm Wiley Rein seeking confidential details related to several high-profile anti-dumping and unfair trade cases the firm was involved in against Chinese exporters.
Fast forward to today, and we are seeing more calculated breaches that aren’t tied to particular cases per se. Recent breaches are sophisticated operations designed to damage the finances and reputations of specific organizations – and law firms are the ideal targets.
In an interview in the May 2016 issue of Legaltech News, Delta Risk VP of Commercial Services Joseph Abrenio described why firms are such attractive targets. “Law firms are traditionally weak in cyber, not only in their technology but also in their employee training and processes,” Abrenio noted.
As attackers’ methods evolved from tactics like DDoS to more complex maneuvers, most law firms haven’t kept up with security measures to meet the challenge.
“You’re seeing much more of what we call ‘advanced persistent threats’ that are targeting lawyers,” Abrenio explained. “So, not only have the frequencies of attacks increased on law firms but the complexity too.”
Joseph S. Abrenio, VP Commercial Services Delta Risk LLC
Spear Phishing: Hackers’ Go-To Move
Malicious hackers’ attack preference isn’t always to storm the gates and take down an entire infrastructure. They often prefer to take advantage of employee negligence through more creative phishing and social engineering tactics. That way, they can lurk undetected for months or even years on networks to gather vast reams of information to compromise systems and individuals. Phishing and social engineering is a nagging thorn in the side of legal firms, especially as more breach stories pile up.
According to Abrenio, “I think it’s quite frankly one of the most effective types of attacks out there, simply because technology is not the only solution there.”
Law Firms Remain Tight-Lipped About Breaches
The sample size for “known” data breaches isn’t as large as it could be because there are a number of firms that haven’t publicly revealed their breach incidents. Even for the known breaches, law firms are reluctant to share their stories. For example, Wiley Rein declined to give a comment to Legaltech News about the Chinese group that targeted them a few years ago, and other breaches are mentioned in the latest issue that the implicated firms have not officially confirmed.
“For obvious reasons,” Abrenio added, “law firms are very hesitant to tell or disclose breaches, because of ethical and legal ramifications, and most importantly, branding implications. But I bet there are many more breaches out there that are unknown to the general public.”
The lack of transparency is understandable for an industry that must practice discretion. But even if firms aren’t open about the attacks they’ve experienced, they need to learn from recent history and make aggressive efforts to quickly adopt proven cybersecurity strategies.
Delta Risk LLC specializes in a variety of cybersecurity services to help law firms protect and uphold the standards of their most privileged data. Download our white paper, Electronic Data and the Law Firm’s Duty of Care, to learn about the legal and ethical liabilities lawyers are accountable for.