Panama Papers Fallout: What If Your Lawyer Gets Hacked?
As the latest wave of high-profile breaches shows, all the sensitive information law firms handle makes them attractive cyberattack targets. Here's what can happen and what you should do about it.
Data Products: 9 Best Practices To Minimize Risk
(Click image for larger view and slideshow.)
Your company has likely spent a lot of time, effort, and money keeping its security systems, policies, and practices up to date. Can the same be said of your law firm?
The legal industry isn't exactly known for its technology leadership, which should be of concern, especially from a security perspective. Don't assume that your data is safe, in other words. Be prepared to do your own due diligence.
"Law firms retain a lot of sensitive corporate data that would be extremely valuable to hackers or outside parties. In particular, hackers are interested in corporate legal information, intellectual property from their clients, information on directors and officers of corporate clients, settlement terms, and more," said Jacob Olcott, the former legal adviser to the Senate Commerce Committee, counsel to the House of Representatives Homeland Security committee, and current VP at Bitsight Technologies, in an interview.
"Since law firms often deal with highly sensitive information, they are a clear target for hackers trying to earn money on the black market. In addition, hacktivists may be interested in the information held by a law firm for political purposes."
Recent high-profile breaches are an example. In March 2016, American Lawyer reported that two of America's most prestigious M&A law firms, Cravath, Swaine & Moore and Weil, Gotshal & Manges, had been hacked for insider trading purposes. Cravath was the only firm to comment publicly on the matter.
In April 2016, Panamanian firm Mossack Fonseca admitted it had been hacked. A hacktivist reportedly leaked 11.5 million documents, totaling 2.6 terabytes of data, to German newspaper Süddeutsche Zeitung. The trove is collectively called the Panama Papers. These documents reveal details about shell companies, their high-profile owners, and parties that helped them evade taxes and remain anonymous. However, as always, the stories making headlines are few and far between. No company, including a law firm, wants to advertise its vulnerability.
"Many top law firms have pretty good structural security. However, they drop the ball in two places: They use less sophisticated local counsel and give them sensitive documents, and they don't put sufficient checks on their people," said Jay Edelson, founder and CEO at law firm Edelson PC, in an interview.
The actual scope of attacks is difficult to gauge. For example, in its 2015 Annual Security Report, Cisco named the legal industry No. 7 in its list of top 10 company types at risk for Web malware infections. According to an American Bar Association (ABA) 2015 Legal Technology Survey Report, 15% of the 880 lawyer respondents said their firms had experienced a security breach, and 23% of them said they didn't know if they had. More than four in ten (42%) said their computers had been affected by a virus, while 23% said they didn't know. The larger the law firm, the greater the increase in breaches.
"Law firms represent a critical component of most companies' supply chain[s]," said BitSight's Olcott. "Most companies are focused on managing the cyber risk of their supply chain, and one of the first organizations they start with is their law firm."
Popular Attack Vectors
Social engineering and phishing top the list of popular attack vectors facing law firms, because they are effective and often not obvious until it's too late.
"All the technology in the world can't protect you from employees who click on things they shouldn't. And in their defense, attackers now do a lot more advanced reconnaissance. They write well-crafted emails that look legitimate and even reference current cases obtained from public record filings and [the] attorneys of record," said Sharon Nelson, an attorney and president of digital forensics, information technology, and information security company Sensei Enterprises.
According to the ABA Journal, most major law firms have been breached. When a breach occurs, it isn't discovered for eight or nine months. In some cases, firms remain unaware of a breach until the FBI brings it to their attention.
"The biggest threat currently appears to be financially motivated criminal hackers. Many recent attacks appear linked to Eastern European organized crime syndicates," said Jason Straight, an attorney, senior VP of cyber risk solutions, and chief privacy officer at legal and business services provider UnitedLex, in an interview. "Nation states [and] organized crime networks [are] looking to engage in insider trading, front-running, extortion, or blackmail. Business rivals [are] looking for competitive intel, [and] even activists with an ax to grind [are looking]."
Social engineering and phishing can be particularly problematic because employees may not be trained to recognize their characteristics.
"Because many federal and state courts are now working with electronic filing and other types of court records, it's especially important that lawyers not just open something appearing to be from a court without knowing it is definitely related to a matter and that they have validated the sender," said Ann Singer Keating, CEO of data security solution provider Reclamere.
Of course there are the usual vulnerabilities that generally plague businesses, such as failing to update and patch software, update antivirus software, do penetration tests and regular audits, train employees
Page 2: Steps you can take to protect yourself
Lisa Morgan is a freelance writer who covers big data and BI for InformationWeek. She has contributed articles, reports, and other types of content to various publications and sites ranging from SD Times to the Economist Intelligent Unit. Frequent areas of coverage include ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Cybersecurity Strategies for the Digital EraAt its core, digital business relies on strong security practices. In addition, leveraging security intelligence and integrating security with operations and developer teams can help organizations push the boundaries of innovation.