
Why are law firms becoming victims of cyberattacks?
Law firms are easy targets as they have data regarding multiple companies, individuals and entities housed in a single database. In essence, this makes law firms a “one-stop shop” for cybercriminals, since they can obtain the desired data on multiple companies with a single breach.
In 2023, the American Bar Association updated their Cyber Security TechReport (TechReport) which highlights the importance for lawyers to be able to recognize phishing emails, have a cyber incident response plan, regularly conduct a full security assessment to protect against cyber-attacks, and use a password management tool. The TechReport was a compilation of other surveys, including the 2023 Legal Technology Survey Report (ABA Survey).
As expected, artificial intelligence (AI) was a primary topic of the TechReport, since it has been over a year since ChatGPT became publicly available. AI is increasingly utilized for both cyber defense systems and by bad actors, especially to create very effective phishing emails.
The 2023 Survey asked respondents, “Has your firm ever experienced a security breach (e.g. lost/stolen computer or smartphone, hacker, break-in, website exploit)?” 29% of respondents answered in the affirmative.
Cyber criminals seem to dream up new methods to attack every minute. So, what should law firms focus on to prevent a breach?
Tools for Avoiding a Cyber Attack
- Recognizing phishing emails
- Create a cyber incident response plan
- Conduct a full security assessment
- Password management
Phishing Emails
Phishing emails are one of the most common methods used by cyber criminals to gain access to sensitive information or financial accounts. Usually, these emails appear to be from a trusted source, and include a link or attachment that, once clicked, can install malware or capture login credentials.
According to the ABA Survey, “97 percent of users cannot recognize a sophisticated phishing email.” Being able to recognize and avoid phishing emails is critical to protecting a law firm’s sensitive information. The ABA Survey found that “75% of all respondents reported having some type of training available at their firm.”
How to spot a phishing email
- Email addresses that look legitimate but have some additional letters in them
- Spelling errors and/or typos in the body of the email
- Urgency — this is a scare tactic to trick you into taking immediate action
- A link that does not match the text — always check first by hovering over a link to make sure it matches the text
Cyber Incident Response Plan
In addition to recognizing and avoiding phishing emails, it is imperative for law firms to have a cyber incident response plan in place. A cyber incident response plan outlines the steps to be taken in the event of a cyber-attack or data breach, including:
- identifying and containing the incident
- preserving evidence
- notifying affected parties
The ABA Survey found that “only 34% of respondents had a written incident response plan in place, indicating that many law firms may be unprepared to respond to a cyber-attack.” This percentage was a big downturn from the previous year!
Full Security Assessment
Law firms should conduct a full security assessment to identify potential vulnerabilities and areas for improvement. A security assessment can include:
- a review of the firm’s network infrastructure, software and hardware configurations
- employee security awareness and training
The ABA Survey found that only 29% of respondents had conducted a security assessment in the past year by a third party. This was also a decrease from the previous year.
Law firms should regularly reach out to a third-party security firm to have a fresh look into potential weaknesses. A third-party assessment will provide an objective and comprehensive evaluation of the firm’s security.
The ABA Survey stated that cyber insurance providers often require a full security assessment before giving companies a quote or even agreeing to bind or renew coverage.
Password Management
Password management tools create unique, lengthy, and complicated passwords that do not mean anything to anyone, and then fill in those passwords for you when you need to log in to any system. You only need to remember one password for the password management tool, and it remembers the rest! Reused or easy to remember passwords create easy access holes in even the best security systems.
The ABA Survey states, “While we are moving more towards “passwordless” access (e.g. Passkeys), passwords will still be around for the next several years. Since passwords will be with us for some time, we’ll need to practice good password hygiene. This means no weak passwords and having a unique password for each login. In other words, NO password reuse. One tool to help with password management is a password manager.”
Only 33% of survey respondents stated that they use a password management tool, which was a slight increase from 2022.
In conclusion, the ABA Survey highlights the importance of recognizing phishing emails, having a cyber incident response plan, conducting a full security assessment, and using a password management tool to protect law firms from cyber-attacks. The Survey notes that there has been a tremendous increase in breaches at law firms over the past year, and that class action lawsuits against the firms are resulting from these breaches.
Law firms need to implement training and awareness programs to educate their employees on how to identify and avoid phishing emails. They need to also have a cyber incident response plan in place to minimize the impact of a cyber-attack and conduct regular security assessments to identify potential vulnerabilities and areas for improvement. Thanks to AI, cyber-attacks have gotten much more sophisticated, making ongoing training even more important. Constant vigilance is required to keep data systems protected.