It’s been a rough couple months for law firms who have been victimized by website hackers. First, there was the report that a number of prestigious law firms in New York had their sites breached last fall by financial cybercriminals. Then came the stunning news that Panama-based law firm Mossack Fonseca had been hacked and more than 11 million confidential documents had been leaked to the global news media. These recent reports of law firm cybersecurity breaches “should solidify that firms are actually targets and security is not something that ‘someone else’ needs to worry about,” says Jeff Norris, CISSP, senior director of data security for Managed Technology Services.
What does this mean for law firms?
“The legal industry has been under increased scrutiny for their security practices for the past several years,” says Norris. “There has always been speculation regarding criminals potentially targeting law firms to access data that their clients entrust to them. Hacking a third party has proven over the years to be easier than the actual target itself.”
What should law firms do about it in the short term?
“In the short term, there are a few things that firms should do. First, ensure the firm has an incident response plan in place to deal with a security incident. Check your security policies and start internal communications and awareness around phishing and the dangers that presents. Look to where you can implement two-factor authentication, if you haven’t already. Stolen, weak or default credentials are a primary cause in most data breaches. If you’re concerned that something may have happened, utilize a security firm to perform a compromise assessment,” says Norris.
What to do in the long term?
“In the longer term, focus on your vulnerability management program, prioritizing remediation or mitigation based on risk,” advises Norris. “Further secure your email and Internet access. Continue to raise security awareness among staff. Review the firm’s insurance policies and update or acquire cyberinsurance coverages as appropriate, and finally, look to engage a security firm for an ongoing incident response program.
According to Citibank’s Cyber Security Overview, the efficacy of website attacks is high and, once a network is infiltrated, cybercriminals are often able to operate undetected for long periods of time. There is no way to prevent all law firm website breaches, but having some smart cybersecurity measures in place can help to reduce the risk and minimize the impact.