Four of five corporate law firms in a recent survey by the Texas Lawbook reported a cyber incident or data breach in the prior two years. Furthermore, 90% of those surveyed reported that one or more of their vendors had experienced a breach. These statistics demonstrate that law firms—and their professional service providers—are in the crosshairs of bad actors.
Law firms have access to vast amounts of sensitive data, so it’s not surprising that they attract the attention of cybercriminals, hacktivists, and nation-states. In fact, the FBI has referred to law firms as “one-stop shops” because of the confidential data they possess on a broad range of clients.
Bad actors stand to benefit significantly from accessing such data. For example, if a firm possesses information on a merger between publicly traded companies, cybercriminals could use that data to purchase stock in anticipation of a bump in the share price once the merger becomes public knowledge. Hacktivists might also try to steal the data and share it as a means of derailing the merger, while a nation-state might use the information to help a state-owned company compete in the global marketplace. In addition to these complex forms of cybercrime, law firms more commonly fall victim to typical cyberattacks, such as business email compromise and ransomware.
In one infamous example, multinational law firm DLA Piper had its operations derailed by a NotPetya malware attack in 2017. An administrator in the firm’s Ukraine office clicked on a seemingly innocuous accounting software update link and the malware locked up tall company data. Within 20 minutes the firm’s entire communications systems were shut down and it took more than a week to get their email servers back online. Today, DLA Piper is trying without success to get compensation from its insurer for the 15,000 overtime hours it took its IT staff to remediate the crisis.
A Problem Exacerbated by a Skill Shortage
And yet, despite an increasingly hostile threat landscape, law firms dedicate few resources to security, a recent study by the International Legal Technology Association found. For example, a law firm with over 700 employees typically dedicates an average of 4.32 full-time positions to security—inadequate to prevent and respond to cyberthreats. And for a firm with fewer than 50 employees, that number plummets to an average of just 0.6 full-time positions.
To complicate matters further, the threat surface continues to grow exponentially because of new technology platforms adopted to meet client expectations.
SOC-as-a-Service: A Force Multiplier
For law firms, managed detection and response (MDR) services could play a crucial role in mitigating threats and ensuring compliance. According to a recent report from Gartner, MDR services can provide organizations with around-the-clock threat monitoring, detection, and response capabilities via an outcome-oriented approach. Given the threats that law firms face, a security operations center (SOC) staffed with dedicated response experts is no luxury, but essential. Yet for many legal IT teams, a SOC—whether built in-house or managed by a third-party provider—offers them much-needed assistance.
According to the report, dedicated response experts can help organizations undertake the following:
- Validate potential incidents
- Assemble the appropriate context
- Investigate the scope and severity of the incident
- Provide actionable advice about the threat
- Initiate actions to remotely disrupt and contain it
Gartner recommends that enterprises in the process of implementing an SOC should “leverage MDR services to accelerate threat detection, and in some cases [focus] just on targeted and advanced threats, while their SOC is being implemented and as it matures.” The authors suggest that this approach could ensure that the SOC operates at a “greater maturity level in months, rather than years.”
The Bottom Line
Law firms are a target for a broad range of bad actors, and they are understaffed to deal with evolving cybersecurity threats.
A SOC-as-a-service provider can help law firms bridge the gap between their security team’s capabilities and the expertise needed to counter increasingly complex threats.