The legal industry is under attack – cyberattack. The threat is real, significant and immediate.

Consider the costs of a data breach:

  • Downtime/loss of billable hours
  • Loss of reputation
  • Consulting fees to security experts
  • Corrupted or lost files
  • Breach notifications
  • Hardware and software replacement

Most readers will be familiar with the fate of Mossack Fonseca of “Panama Papers” infamy. In 2017, several foreign nationals were charged with insider trading after hacking as many as 48 law firms handling M&A matters. The same year saw a major multinational firm, DLA Piper, institute a temporary network and phone system shutdown because of the global Petya ransomware attack.

The headline makers are just the tip of the iceberg. In a survey for the ABA 2018 TechReport, 23% of lawyers reported their firms had experienced a data breach at some point. There are undoubtedly more who have been hacked, but just don’t know it.

Think it’s a Big Law problem? Adjusted for firm size the percentages are higher for mid-sized and small firms.

Ransomware is a universal threat to all industries. Moreover, law firms and other legal services providers are an especially tempting target because they’re a one stop shop for vast quantities of business and personal information. Data that was collected from a wide range of companies, pre-selected for value and often better organized than the originals.

The ABA aptly characterizes firms in particular as both attractive and soft targets for cybercriminals. Despite the heightened threat level, legal lags behind other sectors in cyber preparedness. Law firms are vulnerable to many attack types:

  • Phishing and spear-phishing
  • Ransomware
  • Business email compromise
  • Data exfiltration
  • Denial-of-service
  • Data theft and monitoring for insider trading
  • Viruses and malware
  • Hacktivism

Compounding the problem, legal professionals are an easy target for phishing/spear-phishing. We publish our email addresses, phone numbers and extensive biographical information on websites and public social media accounts. The purpose is client service and marketing. The unintended result is a data gold mine for bad actors.

Cybersecurity isn’t something other people do. It’s everybody’s problem. This post is the first in a series setting out three reasons why legal professionals must be vigilant about data security and seven essential steps to guard against cyberattacks.