Hackers’ Latest Target: Law Firms

Cybersecurity experts have made it clear time and time again that every business–regardless of the size or industry–could be targeted by hackers at some point. Lately, it seems as if many hackers have set their sights on law firms located around the world.

Law Firm Data Breaches in the News

The Panama Papers is perhaps the most well known data breach incident involving a law firm. An anonymous source obtained over 11.5 million files from one of the world’s largest offshore law firms, Mossack Fonseca. The files that were illegally obtained from the law firm revealed a network of hundreds of wealthy politicians, entertainers, and business executives that were moving their money offshore in order to avoid paying taxes.

DLA Piper is another law firm that was recently affected by a massive data breach. In 2017, a ransomware attack forced the law firm to shut down its email and other internal systems for several days. The law firm was attacked with the Petya virus, which prevents people within the organization from accessing their own data. Basically, this virus is designed to hold the data hostage until a ransom has been paid for its release. When this attack occurred, the FBI office in New York revealed that DLA Piper was not the first law firm to be affected by the Petya virus. In fact, the FBI even confirmed that they believe some law firms that were affected were quietly paying the ransom in order to avoid negative publicity.

Both DLA Piper and Mossack Fonseca are large firms, however hackers have gone after small-sized firms as well. A ten-person law firm in Rhode Island was targeted by hackers in 2016. Someone within the law firm opened an email attachment that contained a virus designed to completely shut down the law firm’s network. The attack severely impacted the law firm and its employees–in fact, they suffered productivity losses for three months as a result of the attack.

Why Law Firms Are Targeted By Hackers

Law firms work with many different types of clients on cases involving trademark infringements, contract disputes, criminal charges, divorces, bankruptcies, and other legal matters. Lawyers cannot do their jobs without gaining access to their clients’ sensitive information. For example, it would be difficult to represent a client who is filing for divorce without seeing their financial statements.

Because law firms store a significant amount of their clients’ sensitive data, hackers see them as attractive targets. The type of information that a law firm stores varies depending on their practice areas, however some firms may have access to clients’ bank accounts, government secrets, or medical records.

Another reason law firms may be targeted is because many of them are incredibly unprepared for an attack. A recent survey conducted by LOGICFORCE found that only 23% of law firms have cybersecurity insurance policies in place. Ninety-five percent of the 200+ law firms surveyed were also not compliant with their internal cybersecurity and data governance policies. In addition, every single one of the law firms surveyed was not compliant with the data protection policies established by their clients. It’s possible that there has been an increase in law firm attacks because hackers have realized how easy it is to infiltrate their networks.

How Law Firms Can Protect Their Data

Based on these stories and statistics, it’s clear that the majority of law firms need to make more of an effort to protect their clients’ sensitive data. Establishing an in-house cybersecurity team is too expensive for many small or mid-sized firms, but this isn’t the only way to protect sensitive data. Many businesses that cannot afford an in-house team outsource these responsibilities to cybersecurity firms. This is much more affordable than establishing an in-house team, and it’s more effective than relying on consumer-grade cybersecurity products.

A lot of the attacks on law firms occur when an unsuspecting employee opens up an email attachment from an unknown sender or downloads a suspicious file. To prevent these attacks, it’s important to invest in employee training. Every employee within the law firm should know how to spot a suspicious email or file. Employees should also be thoroughly trained on password protection so they know how to choose strong passwords and keep them private.

Unfortunately, sometimes law firms that have invested heavily in cybersecurity are still affected by data breaches. Because of this, it’s important for every law firm to have a data breach response plan in place. A data breach response plan outlines how the law firm will ensure the data breach is contained, notify the affected individuals, and prevent further attacks in the future. Putting this plan in writing will make it easier to quickly respond in the event of a data breach.

There’s no doubt that law firms should protect their clients’ sensitive information while it is in the company’s possession. But, what happens when the company no longer needs the devices the data is stored on? The data will still exist even when the device is no longer in use, which means it could easily be breached. For this reason, law firms need to consider how to protect sensitive data during the disposal of their IT assets.

To ensure sensitive data does not fall into the wrong hands, work with a reliable e-waste recycler. ERI is the leading recycler of e-waste in the country. Every hour, ERI’s facilities process over 15,000 pounds of electronic waste from clients in government, banking, finance, telecommunications, law, and other fields. The data stored within these devices is completely destroyed so it cannot be read or recreated. For more information on data destruction and recycling your electronics, or to request a quote for your company, contact us today.