Why are hackers targeting law firms and how vulnerable are they?

In an attempt to protect organisations and businesses from cybercrimes, our previous article described how the UK government launched the Cyber Essentials Scheme designed to protect organisations and businesses from cybercrime. The plan aims to protect company data as well as indemnify against common threats and greatly mitigate the risk of cyber-attacks across a multitude of industries. In this regard, one of the areas that are particularly vulnerable is the legal sector. With cybercrime first recognised as a general threat to law firms in 2014, five years later, it is now seen as a major risk. Yet, in spite of the threats, law firms have been slow to adapt.

What’s worse is that in most cases, law firms aren’t even aware of breaches because they don’t have updated cybersecurity policies and training in place. This is especially alarming because cybercriminals take advantage of the opportunities presented by the exponential growth in the use of technology, specifically within the legal profession.

Why law firms?

Law firms are easy targets for cybercriminals because the legal community generally lags behind in the adoption of new technologies. In the UK, cybersecurity regulators and crime prevention agencies revealed that law firms have been the victims of everything from phishing attacks to data breaches, and ransomware or supply chain attacks. In a recent report, Teiss detailed how law firms lost more than £11 million of client money to cyber criminals between 2016 and 2017.

Other breaches included over one million stolen email addresses belonging to the top 500 law firms, including 80,000 sensitive credentials from Magic Circle firms. These were found dumped on the Dark Web after employees posted their email addresses on compromising third-party sites. As many as 30,000 of the stolen emails belonged to a single firm. Email addresses, in general, could be used by cybercriminals to conduct phishing attacks to obtain confidential information. In other cases, like the WannaCry attack against the NHS last year, access to company or a firm’s servers could result in ransomware attacks, where data is taken a hostage and a ransom is demanded its release.

Across the pond, in the US, Medium reports that only 57% of law firms set aside a budget for technology. This is despite the fact that law firms all over the world maintain the most important and sensitive client information from corporations and governments. In Special Counsel’s white paper on cybersecurity for law firms, they note that there is a lack of in-house technical skills necessary to combat cyber-attacks. Meaning, it’s a one-stop-shop for hackers who want to gain valuable business intellectual property, incriminating personal information, bank and financial documents, tax documents, and even patents that can damage a lot of industries and businesses once they fall into the wrong hands.

Meanwhile, in India, the legal framework has no adequate or even marginal cybersecurity provisions for assets outside of the national framework. To explain, the Information Technology Act of 2000, and its subsequent amendment in 2009 deal mainly with the destruction or incapacitation of an asset and its debilitating impact, specifically on national security, economy, public health or safety. This leaves the Indian private sector outside the purview of the Act, as the large majority of private sector assets do not meet these criteria. Therefore, the majority of law firms and their assets are excluded in the event of cybersecurity breaches.

Leveraging a weakness

A data breach can damage a firm’s reputation, especially if it involves the exposure of confidential client information. In 2015 alone a PwC study concluded that 62% of law firms in the UK reported a cyber-attack, with the majority of firms, have reported a security incident in the past 12 months. This underscores the importance of cybersecurity solutions. After all, it’s every firms’ duty to look after their clients’ personal files and confidential data. Adding cybersecurity measures in place will not only save law firms a lot of money in the long run, but it can also help improve their image and reputation.

This is a great opportunity for law firms to use the vulnerability of the industry to their advantage. They can distinguish themselves as a security-first legal service provider, setting them apart from all of the other firms in the market, by implementing effective security measures. Law firms that have efficient and reliable security measures online can serve as an asset to their clients; it’s a great competitive advantage. While cyber vulnerabilities are prevalent across all industries, it is how they are dealt with and quantified that is crucial for preventing them in the future.