In many ways, the cyber threats faced by law firms are similar to those faced by any small business. Law firms, however, can be particularly vulnerable to hacks and cyberattacks.
This is for a number of reasons. Law firms typically hold huge amounts of personally identifiable, sensitive information on their clients, and this can make them a tempting target for attack. At the same time, the level of cybersecurity knowledge in the average law firm lags behind that in other sectors.
Law firms have been slow, in fact, to implement cybersecurity testing measures that are now widely used by other businesses. One of these is “ethical hacking” — essentially, hiring a hacker to try to access your systems or trick your employees in order to highlight vulnerabilities in your systems.
Let’s quickly review the cyber threats faced by law firms, and show you how you can use ethical hacking to improve your resilience.
1. Your Threat Profile
The first step in improving cybersecurity is to understand the types of threats you face. While law firms are vulnerable to many of the same threats as other businesses, the legal sector comes with some unique challenges.
One is that the large amounts of sensitive data held by law firms make them a favorite target for phishing scams. Data from the 2019 ABA Legal Technology Survey found 26% of law firms have been hacked or experienced data breaches. Many of these attacks use phishing emails in their initial approach. Law firms are also vulnerable to state-sponsored attacks from Russia, Iran and China, as evidenced by a 2019 Chinese hack into a U.S. firm known for its expertise in intellectual property. This means that every employee in a law firm – from senior partners to the administrative staff — needs to know how to avoid phishing scams.
The second challenge that law firms face is that they are governed by a set of industry-specific legislation that gives them significant extra responsibility (and liability) for the information they hold and the privacy protections they have in place. In October 2018, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 483, which details Lawyers’ Obligations After an Electronic Data Breach or Cyberattack. This opinion follows 2017’s Formal Opinion 477R, which outlined attorneys’ ethical obligations to secure client confidential client data when communicating over the internet.
In some cases, the regulatory requirements faced by law firms have even been used in phishing attacks. There have been recent reports that the GDPR is being used in phishing scams by exploiting the poor level of knowledge of privacy legislation among legal staff.
2. Testing Your Systems
Having assessed your threat profile, you can begin to test your systems. One of the most effective ways of doing this is to hire an expert on breaking into computer systems and have them perform a “penetration test” (a pen test). Before we get to that approach, however, it’s worth noting that you can perform this kind of testing yourself.
3. Phishing Simulation Tests
Given the frequency of phishing attacks, it makes sense to test how susceptible your team is to them. And unlike hiring an ethical hacker to perform a full-blown pen test, phishing simulation tests can be done in-house.
There are plenty of guides on running this kind of test, but the basic principles are pretty simple. First make sure that you have a system in place for your staff to report phishing attempts, and that they are aware of how to use this. You should then send a fake phishing email to one of your teams, and monitor how many people fall for the bait.
4. Ethical Hacking
A more thorough test of your systems can be performed by an ethical hacker. The basic principle in doing this kind of pen test is straightforward: You instruct the hacker to test every part of your system for weaknesses, and after they are identified you can close them. An experienced pen tester should already have all the tools needed to perform the test and provide you with recommendations on how to improve your systems’ security. (Ed. note: Here’s a description of the phases of ethical hacking from Sensei Enterprises.)
There are, however, important considerations to bear in mind when you employ a pen tester. Primarily, you should realize that you are potentially giving a third-party contractor total access to your systems. A disreputable pen tester may use this opportunity to steal data. Even worse, they could pass on details of your security weaknesses to other hackers for later exploitation.
For that reason, it’s important to only employ ethical hackers who are backed up by reviews and recommendations, and who have a verifiable professional profile.
5. Improve All Aspects of Cybersecurity
Testing your systems helps you to make specific improvements to your cybersecurity, but there are also a number of more general recommendations for cybersecurity practice in law firms.
One of the most important pieces of security software for any small business is a VPN. This tool encrypts all the data that your team members send and receive, even when they are working off-site. As with any investment, however, you should make sure you read and compare reviews of the best VPNs to identify a suitable tool.
Zero-trust protocols and biometric authentication can also be incredibly useful since this kind of solution locks down access to the system to only validated users who actually need to use it. Finally, you should recognize that smartphones are a cybersecurity risk since employees’ phones can act as a repository of malware and other malicious software. Where possible, separate your work systems from your employees’ personal devices, and train all your staff on the best ways to prevent malware infection.
In short, employing an ethical hacker to test your systems can be very useful in improving cybersecurity, but only once you have basic security features in place.
For More Advice on Securing Your Firm …
- “Cybersecurity Tech Tips: Stay Vigilant Out There!” Advice from practice management technology experts on what a law firm can do to make a hacker’s job harder.
- “Tech Tips: Make the Most of What You Already Have.” Experts chime in on getting more out of your everyday tech tools.
- “VPNs for the Technically Uninclined” by Anne Haag
- American Bar Association TECH REPORT 2019: Cybersecurity
Subscribe to Attorney at Work
Get really good ideas every day for your law practice: Subscribe to the Daily Dispatch (it’s free). Follow us on Twitter @attnyatwork.