In the past, we’ve covered data security issues in sectors like manufacturing, higher education, and healthcare. Today, we’re taking a closer look at the data security landscape in the legal sector.
Although they may not seem like a major target for cybercrime, law firms attract a high number of cyberattacks. A 2022 Forbes study reveals that the insurance/legal sector saw 636 weekly attacks in 2022, a 68% annual increase. And a 2023 cybersecurity report from the American Bar Association indicates that 27% of law firms have reported a security breach within the past year.
A new report from the UK’s National Cyber Security Centre (NCSC) on cyberthreats in the legal sector noted significant consequences to these attacks, including multi-million pound losses and dark web sales of data from dozens of court cases. In the face of these attacks, legal organizations must educate themselves on the top threats and best security solutions.
Legal organizations are chosen by cyberattackers for a variety of reasons, but the key one is that they present a valuable target. Legal practices:
Given how valuable of a target these legal practices are, it’s imperative that they implement strong data privacy and security measures. And that begins with understanding the specific threats they’re facing.
Phishing is one of the most common workplace data security threats, and it’s being aided by AI technologies that make attacks more sophisticated. Phishing is also one of the most common threats for law companies, as a successful attempt can give attackers access to sensitive client documents like financial records and contracts.
The NCSC's report on the legal sector outlines one common phishing scheme for law firms: Criminals monitor LinkedIn to identify new hires, and then send a scam email to the organization’s HR department in an attempt to change payroll information and steal paychecks. The report also notes the prevalence of business email compromise (BEC), a carefully crafted form of phishing that tries to trick senior executives into transferring funds or revealing sensitive information.
Ransomware attacks have emerged as another major concern in the legal sector, targeting law firms and institutions with significant consequences. A successful ransomware attack can disrupt operations, threaten client confidentiality, compromise legal strategies, and lead to a complete operational standstill.
For example, one notable 2020 incident encrypted both case data and data backups, making a number of IT systems unavailable to the British law firm that was targeted. The attackers also managed to exfiltrate highly personal data about victims and witnesses from 60 court cases and publish it on the dark web. In addition to the major reputational damage the firm suffered from the attack, it was ordered to pay over $100,000 in fines for insufficient data protection.
Sectors like manufacturing and commercial software may come to mind when supply chain attacks are mentioned, but legal companies are also surprisingly vulnerable. That’s because it’s common for many law firms to outsource their IT and data security operations to third parties — and because law firms’ proximity to corporate clients makes them an attractive target for nation-state cybercriminals. It’s such a common problem that the NCSC now offers training in supply chain mapping to companies that need to strengthen their cybersecurity practices.
Insider threats — both malicious and unintentional — are a risk for nearly every sector. However, insider threats at law firms can be particularly severe, as they expose data including client medical histories, financial records, trade secrets, witness testimonies, and much more.
Insider threats at law companies are also surprisingly common. According to a 2022 study, 68% of UK data breaches in the legal sector are caused by known parties. The majority of these incidents are unintentional, with 54% caused by human error and another 10% attributed to the loss or theft of data.
Regardless of their cause, though, insider threats can change the outcome of court cases and result in major financial and reputational damage to law firms.
So-called “Friday afternoon fraud,” also known as payment diversion fraud, happens when a criminal impersonates a property lawyer’s email and provides fake bank account details to homebuyers. The attacker typically hacks the property lawyer’s email account in order to carry out the scam and redirect funds.
Friday afternoon fraud can take place on any day of the week, but attackers typically choose Fridays to avoid immediate detection. It's a common type of attack: one insurance company reported $109 million in claims from this type of fraud in just 18 months.
While the immediate repercussions of Friday afternoon fraud fall on the homebuyer, law firms are also impacted. Lost commissions and a lack of customer trust can significantly damage firms whose email accounts are hacked.
With cyberthreats on the rise and highly sensitive client information at stake, legal organizations must prioritize data privacy and security as an ongoing commitment. Here are a few of the ways that law firms can begin investing in a robust data protection strategy.
Perform comprehensive risk assessments. An effective assessment will include evaluating the types of data your organization processes, the systems it uses, and the potential points of entry for unauthorized users. Regular monitoring and audits will help keep these assessments updated.
Adopt strong access controls. Access controls are critical to prevent unauthorized access to sensitive data. Strict password policies, multi-factor authentication (MFA), and other measures should be in place for both employees and third-party vendors.
Establish an incident response plan. The right plan can help guide a law firm’s actions in the event of a data breach or security incident. As part of these incident response plans, legal organizations should assign roles and responsibilities, establish notification protocols, and develop processes to minimize the impact of a breach, cyberattack, disaster, or other disruption.
Train and educate staff. Human error remains one of the leading causes of data breaches. Regular training sessions can help educate everyone from paralegals to C-suite executives about data security best practices, including identifying phishing emails, avoiding suspicious websites, and following rules for compliance.
Implement file-level encryption. Data encryption is a fundamental practice to protect sensitive information, including under-protected unstructured data. The right solution will render information unintelligible and useless to unauthorized users. It will also avoid the pitfalls of legacy software, which can introduce significant performance drawbacks and require difficult-to-manage endpoint agents.
ShardSecure offers a solution for agentless file-level encryption that does not require agents or introduce performance drawbacks. Our technology provides advanced data security and privacy for sensitive data in on-prem, cloud, and multi- and hybrid-cloud architectures.
The ShardSecure platform helps businesses in the legal sector keep their sensitive client data secure from unauthorized access — be it by an accidental recipient of the wrong email, a third-party IT vendor, or a malicious actor. We also support robust data resilience, with the ability to reconstruct data that’s been encrypted by a ransomware attack without downtime. To learn more about our technology, take a look at our white paper or visit our resources page.
Cyberattacks on Law Firms Are up Sharply | The Florida Bar
Legal Firms Urged To Strengthen Cyber Defences With Latest Guidance From Experts | NCSC
Cyber Threat Report: UK Legal Sector | NCSC
Firm Fined Almost £100,000 Over Ransomware Attack | Law Gazette
The Most Common Cyber Attacks Targeting the Legal Industry | Legaltech News
68% of Legal Sector Data Breaches Caused by Insider Threats | Infosecurity Magazine
Cybersecurity for Law Firms: What Legal Professionals Should Know | American Bar Association