Law360 (June 25, 2020, 6:17 PM EDT) --
Instead of zeroing in on the clients themselves or other tangentially related parties, threat actors see large law firms and private practices as a softer and easier way to access vital information. They could search through terabytes of data within a multibillion-dollar pharmaceutical company, for example, or gain access to the information at the legal firm representing that company.
The problem is that as attackers have become more sophisticated, many law firms have continued to be comfortable with outdated information technology policies.
This trend isn't particularly new. In fact, the problem became so bad that the FBI's New York City cyber division held a meeting in 2011 with representatives of the city's top 200 law firms because of increasing numbers of hacks, with an estimated 80 major law firm breaches that year alone. But it seems the latest firestorm of new breaches at law firms was around the 2016 election and political sphere, and breaches have continued to happen regularly ever since.
More recently, New York firm Grubman Shire Meiselas & Sacks PC — which represents high-profile clients such as Sir Elton John, Barbra Streisand, Lady Gaga, Madonna, Drake, Robert De Niro, LeBron James and Sony Corp. — last month became the victim of a $42 million ransomware attack this year after a group claimed to steal 756 gigabytes of private documents and correspondence.
Baker Wotring LLP and Law Offices of Hamilton & Naumes LLC were also recent victims of hacker group Maze, which has notoriously targeted the legal industry trough ransomware attacks. Bangs McCullen, Lynn Jackson Shultz & Lebrun PC, and Costello Porter Hill Heisterkamp Bushnell & Carpenter LLP were also listed in January this year on one of the sites Maze uses to announce its targets.
A June report by the University of Toronto's Citizen Lab tracked a multiyear investigation into another hack-for-hire scheme that targeted thousands of individuals and organizations on six continents in roles like senior politicians, government prosecutors, CEOs, journalists, and human rights defenders.
According to the report, major global law firms involved in high-profile public events or criminal cases were a "disproportionately represented" target for commercial espionage, including those "working on corporate litigation and financial services ... with targets in many countries including the US, UK, Israel, France, Belgium, Norway, Switzerland, Iceland, Kenya, and Nigeria."
And the culprits go beyond just a few sophisticated computer whizzes in their basements. Nation states with unlimited supplies of funding and time are using hacking to covertly steal IP to increase technological innovation and, ultimately, economic power. It's a pretty tough combination for firms to defend against regardless of their corporate footprint.
This is a global problem that's being met not with a collective shrug, but a lackadaisical effort and fundamental misunderstanding of security, accessibility and privacy threats. It isn't for lack of trying. While a 2016 study showed that two-thirds of respondents were comfortable with their firms' cyberattack infrastructure, a majority said most firms lacked basic best practices.
Law firms tend to be partnerships that don't invest in cybersecurity. Security teams at multinational firms have to attempt to do more with limited resources to protect both the firm and their clients. With the global spread of COVID-19 forcing large swaths of the population indoors and primarily online, cybercriminals will be able to exploit firms more easily now than ever before.
The risks remain great, but what can firms looking for an edge do to safeguard their treasure troves of information and privileged communications and information? Here are some basic, but essential, precautions.
Invest in Advanced IT Systems
Research shows that a third of all data breaches start with a user being fooled by a phishing scam to provide credentials or personal information. The same attack vector goes for end users such as lawyers that routinely accept and open files from people that they don't know. It is, after all, part of their daily job responsibilities to accept hypothetical documents for new clients and establishing cases.
All employees — especially remote workers amid the pandemic — should be educated on how to spot and thwart phishing and malware attacks on sensitive emails, texts and server destinations. They should also learn to distinguish between what data needs to be saved for long periods of time and what doesn't, while being able to properly secure and control where to store that sensitive information.
But training can only go so far. Technology is the important last mile in making sure sensitive data is secure from unauthorized access. The legal industry is, however, often slow to embrace new technology. Most large law firms are stuck between new and old — they run nearly all of their software on premises while most modern computing applications are in the cloud.
The next generation of lawyers are technologically savvy and demand modernization. This leaves the undersourced IT shops in a bind and exposed to adversaries. But, while the cost of modernization seems high, it is less expensive than the loss of reputation with cornerstone clients and the average of nearly $5 million law firms may have to pay for every data breach.
Enable Multifactor Authentication
Moving away from email entirely is the safest bet, though such a move may not be practical for the nearly 4 billion worldwide email users. The next best thing is ensuring multifactor authentication.
Even in your personal life, obvious, weak or frequently reused passwords just don't cut it. Lawyers and their employees simply cannot be among the 65% of people that use the same password for multiple or all their accounts.
The best part about this step is that it's extremely easy to enforce. It's as simple as email or text verification or can get as seriously secure as fingerprint or face recognition, depending on the importance of the data being protected.
Implementing multifactor authentication for any work-from-home or in-office device adds extra layers of protection for data access, especially if passwords or other credentials are leaked in a data breach or successfully obtained through a phishing scheme.
Encrypt and Back Up All Data
When it comes to the most sensitive data and communications, law firms can avoid unauthorized access and breaches via the use of strong end-to-end encryption, or E2EE.
Messages, data or other communications are encrypted on a sender's device, sent to the designated recipient's device in an unreadable format, then instantly decoded for the recipient only. No unencrypted data is stored on either device or on any third-party servers, and no individual or organization other than the recipient can decrypt the information. Think of it like translating from another language — one that's even more confusing and unreadable than legalese.
If firms can ensure E2EE, then it establishes security standards to make sure that no bad actors can eavesdrop on that information.
Nearly 8 billion — yes, with a "b" — records were exposed through January to September 2019 alone. There's so much sensitive data out there that hackers would love to steal, and an equal amount of vulnerable law firms that aren't taking the right precautions. If they become enough of a barrier to deter hackers, they'll finally get the target off their backs.
While encrypting data is a critical step in protection from IP theft, secure backups are the bane of the ransomware industry. It's important for law firms to look in the mirror and understand they are behind most industries when it comes to computer security. Trivial attacks like the one against Grubman Shire can be avoided with some very basic investments in encryption and backing up client data.
Joel Wallenstrom is CEO of Wickr Inc.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
For a reprint of this article, please contact firstname.lastname@example.org.