The topic of cybersecurity has not a specialized area of expertise at most law firms, internally or for clients. Of course there are some exceptions to that statement in the larger legal community, especially related to compliance and insurance issues. It is not surprising that law firms lack expertise as the leadership at law firms mirrors the leadership in the corporate world where cybersecurity has been traditionally considered an afterthought.
In today’s changing digital ecosystem, law firms can no longer afford to remain disconnected from the reality of breaches and cyber-threats. There is too much at stake in terms of business operation interruption, decline in productivity, impaired reputation, and there is also a major responsibility to ensure protection of the data and privacy of clients. For those in the legal profession developing an understanding  of the implications of not having adequate cybersecurity is an imperative.

Most ominous has been the upsurge in cyber-attacks against law firms. Firms, large, small and medium, have become a significant target of hackers. The firm  BlueVoyant appraised thousands of law firms worldwide between January and March 2020,  (see https://www.infosecurity-magazine.com/news/nearly-one-fifth-law-firms-show/) Bluevoyent found that of those targeted, some 15% were  likely to have been compromised while nearly half showed signs of suspicious activity, including malicious proxy use.  Lexis Nexis detailed that In 2015, 62 per cent of law firms reported a cyber-attack in 2015 and by 2017, the figure had increased to the majority of law firms. No doubt there have been more cyber-attacks since those earlier findings.

Bluevoyen states that the legal community’s  near-$1 trillion sector is a prime target for financially motivated attacks as well as nation state actors. Their comprehensive report details examples of ransomware threats, financial data and PII theft, third-party risks, password breaches, insider leaks,  hacktivism, and other cyber issues.

Their CEO, Jim Rosenthal summed the report up:  “Threat actors are aggressively targeting law firms, and they are doing so daily. Threats against law firms are high volume, multi-faceted, and organized; threat actors use multiple sophisticated tools and techniques; and, notwithstanding industry-leading efforts, law firms have been successfully compromised.”

A trending area of cyber-attacks against law firms involves ransomware. In 2020 many firms were hit with ultimatums to pay if they want to get their files and data back. According to the American Bar Association and the U.S. Department of Justice, 25% of all law firms have been subjected to, or experienced, some form of a data breach involving hackers, many involving ransomware

For example, In May 2020, a ransomware-as-a-service (RaaS) operation was able to hack the servers of Grubman Shire Meiselas & Sacks and compromise the law firm’s privileged client information.  Law firms make attractive targets because they often pay despite recommendation not to by the FBI.
(see https://securityboulevard.com/2020/06/revils-lessons-its-time-law-firms-quit-taking-cybersecurity-for-granted/)

The Graph below provides a good overview of the types of legal target by hackers using ransomware.

  • Law Firm 61.36% 61.36%
  • Courts 22.73% 22.73%
  • Legal Aid Association 6.82% 6.82%
  • Legal Services 4.55% 4.55%
  • Prosecutor’s Office 4.55% 4.55%

Figure 1. Ransomware Attacks by Legal Organization – Source: Tari Schreider Ransomware Attack Database

Source: https://www.law.com/corpcounsel/2020/05/26/ransomware-attacks-in-the-legal-profession/?slreturn=20201020132735

A primary requirement of the legal profession is to obtain data and explore evidence, access the implications of that evidence, and prepare accordingly to protect and serve the client.  E-discovery is fundamental and most is done online. With this responsibility, Law firms are facing a daunting list of security and operational challenges to conduct work. Unfortunately, despite breaches becoming commonplace, most law firms still lack the critical awareness, policies, and technologies to best secure data and privacy, including private firm interchange, records, and especially privileged attorney client communications. In a nutshell, cybersecurity is a critical factor for future business prosperity.

In addition, because of Covid19, many law firms have had to assimilate to remote work situations. This has expanded the attack surface, strained the IT shops who have to cover more devices and endpoints not easy to protect. Remote work is here to stay, and it’s pushing security pros into a new reality of Shadow IT, IoT, and accelerated Cloud adoption. The reality is that we live in an increasingly hyper-connected world. The exponential rate of cyber-threats and breaches against law firms necessitate a clearly defined security strategy for who and how to handle this constantly evolving landscape of cyber threats — from phishing scams, bots, distributed denial of service attacks, ransomware, and a host of insider threats. 

Why External Cybersecurity SMEs are Needed for Law Firms 

Because of the growing threats and emerging technology challenges that  increase risk to revenues and reputation, law firms should explore bringing in outside expertise from subject matter experts (SMEs) who understand the latest developments in technologies and compliance/governance directives in the cyber ecosystem.

SMEs for the legal community are especially important as the cyber threat includes various criminal enterprises and adversarial nation states. A change in the cyber risk environment has corresponded with  heightened investments in threat awareness and information-sharing necessary for successful staying in business.    SMEs are a particularly valuable component for evaluating the threat horizon and vulnerabilities.  It can be a big benefit to bring in outside SMEs who can “think outside the box” and bring new perspectives.

Keeping up with cybersecurity threats is often daunting and requires a special effort.  SMEs can assist in vulnerability assessments, recommend best in breed cybersecurity technologies and vendors. In IT terms this may include operational components of encryption, biometrics, smarter analytics, and automated network security, informed risk management software, cyber certifications and training, network monitoring, and incorporating NextGen layered hardware/software technologies for the enterprise network, payload, and endpoint security. It is best if the plan is calibrated by outside SMEs for specific cybersecurity requirements.

A successful cybersecurity law firm strategy requires stepping up assessing situational awareness, information sharing, and especially resilience. There are many external SMEs who can better understand policies, compliance, technologies, and the protocols associated with cybersecurity risk management. A first step is a risk management cybersecurity framework.

An example of what a risk management cybersecurity Law Firm framework should include is:

  • Vulnerability and gap analysis (identifying, assessing and responding to threats- NIST Framework: Protect, Detect, Respond, Recover.
  • Better encryption and biometrics (quantum encryption, keyless authentication
  • Technologies for “real time” horizon scanning and monitoring of networks
  • Access and Identity Management and Control
  • Endpoint protection
  • Diagnostics, data analytics, and forensics (network traffic analysis, payload analysis, and endpoint behavior analysis
  • Advanced defense for framework layers (network, payload, endpoint, firewalls, and anti-virus
  • Enterprise and client Network isolation to protect against malware, botnets, insider threats.
  • Employee awareness programs and training
  • Cyber Insurance
  • Analytics and cyber-forensics
  • Audits

https://www.nacdonline.org/analytics/survey.cfm?ItemNumber=66753

Cybersecurity SMEs can also be utilized for compliance, (GDPR expertise), and a whole host of other issues related to policy and industry specializations. Whether it be bolstering the internal IT security team of a law firm, or recommending potential technological solutions and protocols, SMEs can augment efforts. In addition, there are managed service providers (MSPs) who can also offer holistic cybersecurity services depending upon budgets and needs. As the threats and cost of breaches continue to escalate in the legal profession landscape, getting outside help is a sensible option.


About the author:  Chuck Brooks, President of Brooks Consulting International, is a globally recognized thought leader and evangelist for Cybersecurity and Emerging Technologies. LinkedIn named Chuck as one of “The Top 5 Tech Experts to Follow on LinkedIn.” Chuck was named as a 2020 top leader and influencer in “Who’s Who in Cybersecurity” by Onalytica. He was named by Thompson Reuters as a “Top 50 Global Influencer in Risk, Compliance,” and by IFSEC as the “#2 Global Cybersecurity Influencer.” He was named by The Potomac Officers Club and Executive Mosaic and GovCon as at “One of The Top Five Executives to Watch in GovCon Cybersecurity. Chuck is a two-time Presidential appointee who was an original member of the Department of Homeland Security. Chuck has been a featured speaker at numerous conferences and events including presenting before the G20 country meeting on energy cybersecurity.

Chuck is on the Faculty of Georgetown University where he teaches in the Graduate Applied Intelligence and Cybersecurity Programs. He is a columnist for HPC, a contributor to FORBES, a Cybersecurity Expert for “The Network” at the Washington Post, Visiting Editor at Homeland Security Today, He has also been featured speaker, author on technology and cybersecurity topics by IBM, AT&T, Microsoft, General Dynamics, Xerox, Checkpoint, Cylance, and many others.

Chuck Brooks LinkedIn Profile: https://www.linkedin.com/in/chuckbrooks/

Chuck Brooks on Twitter:  @ChuckDBrooks