Over the last few years, multiple leading law firms have suffered large, expensive, and high-profile attacks. So far, the most frightening leak has been, of course, “The Panama Papers” breach, where, in 2017, the world’s fourth largest offshore law firm suffered a leak of 11.5 million files from their database that exposed information on over 210,000 companies. Other large attacks—such as the attack on DLA Piper last year—make it clear this was not a fluke: law firms are increasingly under attack by cyber criminals.
In fact, additional data suggest that attacks on law firms are even more common than the headlines suggest. Recent reports found that over 80% of the largest 100 firms in the U.S. have been breached since 2011, with approximately 1/6th of them losing important files and information in the process.
Why are Law Firms Being Targeted by Cyber Criminals?
Law firms are targeted by cyber criminals for the same reason retail and hospitality companies are common targets: law firms may not have a lot of valuable internal data, but they have a large quantity of valuable customer data. In fact, law firms hold much more valuable data than retail, hospitality, or other customer-focused companies have. Law firms are involved in their clients’ intimate transactions, which means the databases at law firms often contain extremely sensitive information that goes beyond names, email addresses, credit card information, and passwords, and instead includes:
- Confidential information and intellectual property
- Insider information on some of the biggest business deals in the world (such as M&A activities)
- Business and sometimes even governmental secrets
How are Law Firms Protecting Themselves?
It is no surprise many law firms are being targeted. Unfortunately, when you look at the current state of cyber security for law firms, it is also not surprising that so many of them are being breached. Despite being such valuable targets, the data suggest law firms are doing very little to protect themselves. Only 25% of law firms say that they utilize basic email encryption, and only 15% report encrypting their drives. 25% of law firms have not even yet assessed the cost or risk associated with a breach. Only 17.1% of law firms have an incident response plan in place, in the event that they are breached.
In short, most law firms are not actively protecting themselves, for a few key reasons.
First, law firms are not protecting themselves because, to be blunt, they do not have to in the same way that firms in heavily-regulated industries like healthcare and finance must. Unlike firms in those industries, law firms are not regulated by any external body—they are largely self-regulating. This is changing slightly, as firms are increasingly “regulated” by potential customers who want to know their data will be safe, but by and large law firms are under no structural pressure to protect themselves.
But there is an even more fundamental reason law firms don’t protect themselves: they feel like they cannot afford to. As noted in a recent article by the ABA Journal, “The economics of the practice of law doesn’t allow for investment (in cyber security)... Even in the biggest firms, there are only three or four people [working] on cyber security. There’s not much investment in people, resources, and they can’t pass the cost on to clients.”
It is clear law firms lack the resources or the will to take care of their own cyber security. Considering this, the only way to keep law firms safe becomes clear— they must partner with a cost-effective security service that will take care of their security for them.
What Law Firms Can Do to Improve Their Cyber Security
Any security solution law firms consider must be both convenient, cost-effective, and not require building out their own internal team. As CIO.com recently noted, this has led some law firms to try and protect themselves with consumer-grade technology, which has ultimately proven to be “ill-equipped for the threats they are facing”. Instead, the article makes the only viable solution clear, when they state, “The solution, as we’ve seen in many industries, is to outsource cybersecurity to trusted firms that can offer heavy-hitting, managed solutions at an affordable rate.”
From our experience providing these services for many clients in many industries, this advice is accurate. The only way for any modern company—but in particular law firms, which face substantial cost pressures and an internal lack of human technology resources—to protect themselves against next generation threats is to partner with a full service managed security firm.
John has 20+ years of sales and business development success and experience in the areas of management consulting, managed security services, professional services and security technologies. John was most recently the Vice President of Sales & Business Development at Trusted Knight, where he was responsible for pre-sales, sales, client management/development, marketing and product management support. Prior to TK, John built and led sales and business development at Cigital (Application/Software Security), Infoedge (Management & Security Consulting) and Trustwave (MSSP, AppSec, Compliance, ProSvcs).