In March of this year, President Biden released a statement advising businesses to heed a warning regarding potential cyber-attacks. Strains in international relations have raised concerns among Americans as foreign hackers are expected to target the sensitive, valuable information of a wide range of businesses and organizations. Due to the nature of their work, legal professionals are particularly susceptible to costly and dangerous cyber threats.
The most common misconception regarding cybersecurity is thinking any one business or industry is immune. Regardless of size, IT team diligence, revenue and even password practices, hackers are agnostic when it comes to invading a computer system. Their focus is to find opportunity rather than a limited field of targets. And law firms present many opportunities.
It’s difficult to forecast what information a hacker might look for or how they will use it, because often hacks are not limited solely to financial data.
As reported by The Hill, New York law firm Grubman, Shire, Meiselas & Sacks experienced a ransomware attack that exposed the information of several high-profile clients in 2020. The REvil Group, an international cybercriminal organization, demanded a ransom of $42 million. When the firm did not pay, REvil Group posted sensitive client information online. As of this writing, some of that data remains open to the public.
In April of this year, Law.com reported New Jersey’s McCarter & English was the victim of a breach that shut down their remote work systems and employee email access. While the full extent of the April breach is not known, even rumors of a cybersecurity breach can cause irreversible reputational damage to a law firm.
As more law firms fall victim to cyberattacks, the question of how to create a strong cyber defense becomes paramount. Three proactive steps can help mitigate the risk:
- Build an IT defense: A strong IT department may not be the answer to hacker immunity, but it is critical to preventing, not to mention quickly assessing, a cyber-attack. A firm’s IT system should be built on a secure framework specific to the organization’s needs. Outsourced IT consultants can help you get started, but IT needs to be maintained to be effective. Firms should consider investing in their IT department, run tabletop cybersecurity exercises and have a practical plan in place in the event of an attack and make sure everyone in the firm understands how to follow said plan.
- Recruit the masses: Any organization is only as secure as its least trained employee when it comes to preventing cyber threats. Hackers will target anyone, from the receptionist to the managing partner, in an effort to access a law firm’s systems. Every employee should be trained to spot a potential cyberattack and know what to do if they suspect they may have been targeted.
- Keep insurance updated: Cybercriminals are innovating every day. Law firms need to make sure their insurance policies keep pace to meet these new threats. If a firm does not have cyber insurance, policy options should be explored as soon as possible. If a firm does have cyber coverage, the policy should be routinely reviewed at least annually. Regular assessments of the firm’s technology and its vulnerabilities should be part of regular discussion with the firm’s insurance agent or broker to ensure the coverage provided is the coverage needed.
Cybercriminals are the new boogiemen for businesses, including law firms. The best defense is preparation. There is no telling when, how or even if a cyberattack might happen, but with a proper IT defense, trained employees and a plan of action, law firms can protect their businesses, their reputations and their clients.