Law firms are a one-stop-shop for cyber criminals – not only can they get their hands on large financial transactions, but there’s plenty of sensitive, highly valuable client information to be had too. Protecting this confidential information is paramount to law firms keeping their reputation – and the reputations of their clients – intact.
Confidentiality is at the heart of the legal sector, with individuals and businesses alike placing their trust in law firms to transact securely and discreetly on their behalf. A breach of this trust can mean the end of the road for a law firm – just look at Mossack Fonseca, the firm that lost 11.5 million documents (2.6TB of data) in a 2016 breach dubbed the ‘Panama Papers’, due to weaknesses in their client portal which hadn’t been updated1. The sensitive information in those documents about wealthy, famous, and public office clients was exposed to the press. Mossack Fonseca never recovered from the massive reputational damage caused by the breach, and was forced to close.
Law firms’ reliance on digitised information makes them particularly vulnerable to data breaches. They are accustomed to taking instruction and conducting transactions almost exclusively via email, including the transfer of extensive amounts of confidential, personal, and financial information. The constant movement of this information increases the risk of exposure.
The press loves a scandal
The affairs of high net worth individuals are temptingly lucrative targets for cyber criminals. Secrets and scandals sell newspapers. The 2017 ‘Paradise Papers’ scandal saw 13.4 million files leaked to the International Consortium of Investigative Journalists. The documents were stolen from Appleby, a major offshore law firm based in Bermuda that “specialises in advising some of the world’s wealthiest individuals”2. The files showed the multitude of ways companies and affluent individuals avoid tax, and included names and financial information3. Needless to say, the press had a field day.
It’s not just the rich and famous who are at risk of having their confidential information stolen. Enlisting the services of a law firm normally involves sharing a small library of personal information which, in the wrong hands, could easily lead to identify theft and fraud. Clients’ names, addresses, dates of birth, financial records, and sometimes medical information are all held by law firms, and usually transferred by email.
Law firms need to be particularly careful with this level of sensitive personal information, not least because of the further crimes it could be used for if stolen. The introduction of the GDPR in 2018 has already seen eye-watering fines making the headlines for Marriott and BA. Any breach of personal information must be reported, and fines are levied against the company that held the data for not adequately protecting it.
“The loss of client information can have a devastating impact on a sector that has confidentiality at the heart of its business" 4
Are you the weakest link?
Law firms are privy to some of the world’s most sought-after business secrets, through their contracts and transactions with multinational businesses. State-sponsored attacks are a daily occurrence against these businesses, targeting their top secret IP to gain a commercial advantage. Can you guarantee to protect your clients’ confidential business information from some of the most powerful people in the world?
Cyber criminals are sometimes much more subtle in their approach than targeting the big fish straightaway. Smaller law firms are more likely to outsource certain services to external suppliers, especially for large contracts – these third party systems can provide an easy route in for cyber criminals if they’re not sufficiently secure. All it takes is a poorly protected link in the supply chain to lead to infringement of sensitive data and privileged information. You need to be able to demonstrate that your law firm can protect all client information you deal with, both up and down the supply chain.
What can be done?
Law firms are required to go through rigorous checks and certifications to transact as a law firm, which engenders implicit trust that the firm clients are dealing with is legitimate and secure. Clients don’t expect that such a pillar of security can be spoofed and compromised by cyber criminals. Make sure you can keep hold of the secrets your clients entrust you with.
The potential cost of a data breach – including malpractice suits, significant loss of business, and hefty GDPR fines – is substantially more than the cost of implementing preventative measures. Ensure your law firm’s cyber security strategy includes proactive detection methods that flag non-compliance and potential data breaches before they can occur. CORVID Email Protection’s CC checker, for example, scans all outbound emails to identify if multiple email addresses have been entered into the CC field, which could constitute a GDPR breach. If such an event is detected, the email is quarantined to prevent the breach, and the IT admin notified.
CORVID Managed Detection and Response proactively hunts for tell-tale signs of malicious activity within your IT estate, so cyber criminals attempting to harvest and exfiltrate data are stopped and removed before they can cause a breach.
If a data breach does occur, your firm needs to be able to prove compliance with strict data protection regulations, by confidently and accurately reporting exactly what information was accessed, who accessed it, and whether the data was exfiltrated from your systems. Our Managed Detection and Response solution articulates clear and detailed answers to the four key questions:
- How and where did the security breach take place?
- What information was accessed?
- How can you recover your systems quickly?
- How do you prevent it from happening again?
This comprehensive response enables you to complete your report to the ICO in full. We are also able to positively confirm no reportable incident on your behalf, giving reassurance to your clients and stakeholders that your systems are secure.
Email is the single biggest attack vector, yet Legal Security Forum reported that “only 16% of the top 95 law firms in the UK have sufficient measures in place to fully protect against email fraud”5.
The information on your law firm’s website is making it easy for cyber criminals to impersonate you via email, which makes requests for sensitive data and privileged information more credible and therefore more likely to succeed. Download our free PDF guide on the three ways the information on your website is making it easy for attackers, to understand how to better protect your firm from these reputation-ruining attacks.
Find out more about how CORVID can benefit the legal sector.
- 'The cyber threat to UK legal sector' 2018 report
- Law Firm Data Breach Could Be Panama Papers 2.0
- Paradise Papers Tax havens What are the Paradise Papers and what do they tell us?
- 'The cyber threat to UK legal sector' 2018 report
- 'New research shows 84% of UK law firms still vulnerable to email fraud – cyber attacks remain the biggest threat to a £26 billion industry'
Cyber attackers are quietly appreciative of businesses across all sectors for making their job easier. With all the information they need to craft their attack laid out neatly in ...
Aside from the usual “strict diet and fitness regime starts on 1 January” resolution that everyone makes and forgets by February, now is the perfect time to take stock of your ...
Disruptive ransomware attacks on manufacturing businesses regularly make headlines. You’ve seen the stories – multinational manufacturing companies are locked out of their IT systems, ...