Law Technology Today From the ABA Legal Technology Resource Center
Related Articles
There are over 4,000 cyber attacks every day. That’s 170 attacks every hour, or nearly three attacks every minute. That alone is a scary thought for anyone running a business, but for law firms whose currency is built on the inherent trust they receive from clients, it is especially troubling. Yet, most firms do not even know they have been compromised when an attack occurs. By the time firms have realized a breach has happened, significant damage has already been done and most are not sure where to turn to for help.
Law firms today are increasingly being targeted for the sensitive information, trade secrets and client data that they hold for companies and organizations of all sizes. As cyber criminals become ever more sophisticated and efficient, firms are repeatedly being targeted for the valuable information they hold. In fact, at least 80 of the 100 biggest law firms in the country, by revenue, have been hacked since 2011 and the 2015 Legal Technology Survey Report from the American Bar Association found that 15 percent of firms have been the victims of a breach.
The cost is substantial too. According to the recently released 2016 Ponemon Cost of Data Breach Study, the total average organizational cost of a data breach has reached a new high—$7.01 million. A breach now costs organizations an average of $221 per compromised record. For large firms, this is still a burden, but for smaller firms, a cyber attack could threaten the core of their business from the sheer cost of the attack alone.
But, the cost to a firm does not just include the monetary impact of a breach. A firm’s reputation is also at stake. Confidentiality and trust are the cornerstones of the legal profession. Whether it is client details, lead generation, case specifics or firm correspondence—stakeholders put their trust in their legal counsel and expect their information and shared confidences to be protected by their attorney and, by extension, the firm’s technological infrastructure.
Large firms are not the only firms that are being besieged. Smaller firms are just as much targets as larger firms and it is just as important that they also have cyber security protections in place. Cyber criminals may actually see smaller firms as an easier target because they lack the infrastructure to prevent and respond to a cyber attack. The ABA’s 2015 Legal Technology Survey Report actually found that firms with 10 to 49 attorneys were most often infiltrated by malware and other tools used by cyber criminals. Solo practitioners and boutique firms followed closely behind these smaller firms with two to nine attorneys. Over 43 percent of these types of firms reported a breach and that rate was at 52 percent for firms with 10 to 49 attorneys.
Regardless of size, law firms are starting to wake up to the dangers of cyber attacks as their prevalence increases, but there is a lack of understanding over what protections to put in place. Enterprise solutions do not work for smaller firms and existing solutions are expensive, complicated and require high technical skill. These options may be ideal for large firms, but small firms need solutions that fit within their means. In this void, consumer antivirus is pervasive. Often, firms assume server protections for data centers and endpoint security provide sufficient protection. While they do protect parts of the IT infrastructure, their scope is limited. These products fail to adequately protect websites and web applications from external treats. The face of a law firm is its website. With cyber attacks on the rise, complete security measures, including website protection, have never been more important. But, this is an often-overlooked entry point that cyber criminals will exploit tho infiltrate a firm’s network.
With such significant risks to firms, fortunately there are ways to prevent future attacks and mitigate them if and when they occur.
Utilize security experts
Firms should consult with outside security partners who can help protect all entry points from breach including web applications, server and endpoint. In most cases, it will take more than one partner to fully protect against an attack, as solutions are focused and limited in scope. It takes multiple pieces to complete the security puzzle of full protection that ensures solutions are in place to protect all possible entry points.
Protect your infrastructure like you protect clients
You spend significant capital on hiring top talent to provide clients with the best possible counsel. Ensure you are helping your talent succeed by protecting your firm against outside attacks. Every attorney knows the importance of information sharing between client and counsel, so ensure that privilege is protected by fortifying where that information is stored.
Having multiple partners who can secure your network and systems from outside attack is crucial. In addition to these partners, all employees should practice good cyber security hygiene by frequently changing passwords, utilizing different passwords for different systems, keeping the most sensitive information off the cloud, among others.
Have a response plan
Even with the best protection in place, breaches can happen. Cyber criminals are constantly innovating new ways to infiltrate systems, so it’s important to have a security partner that evolves rapidly to meet these ever changing demands. But, it’s just as crucial to have a plan to address an attack when it happens. Yet, when surveyed by the American Bar Association, 47 percent of attorneys said their firms have no plan in place should a breach occur. Notify your security partners if you suspect a breach has occurred immediately so they can begin to investigate and mitigate the problem. Then, take steps to minimize the amount of data that can be accessed. Lastly, prepare for how to communicate the breach to your clients and future prospects.
Cyber criminals are smart and getting smarter, but it is possible to thwart them as long as you have the right pieces in place. Don’t let criminals exploit weaknesses and unprotected entry points, to breach your network. Instead of letting criminals infiltrate your systems, have a strong defense and serve them with proper protection.
