Online threats are getting more prevalent and sophisticated, with over 3,800 data breaches in the first half of 2019. Our own reporting notes that we observed just short of 4 million DDoS attacks in the same period. As such, all businesses—especially law firms—should take heed.
These practices are a prime target for cybercriminals because of the highly sensitive and confidential information they retain for their clients. Firms need to follow American Bar Association standards when developing online security procedures. Further, they should train the entire workforce to recognize threats and protect data at all costs.
Every practice must respond quickly to cyberattacks when they occur to minimize risk and liability. Firms that take these issues seriously and follow proper protocols are poised for success.
The Modern Threat Landscape
Research indicates that cyberattacks are on the rise, and our latest Threat Report underscores this increase as well. We found that new online attack vectors are weaponized within as little as five days, leaving not much room for enterprises to apply patches that can help defend against these vectors.
Bad actors who get their hands on these tools can target any business that looks appealing—and law firms are often at the top of the list. The case histories, court briefs, and other confidential documents in office databases are a virtual all-you-can-eat buffet for a hacker with an ax to grind. They can be particularly attractive to adversaries who have a strategic interest in say a merger or acquisition deal that the firm is advising a client on.
International practices must be especially careful because they face heightened penalties thanks to the General Data Protection Regulation (GDPR). While this privacy law compels businesses to check their security regularly, the requirements for those inspections are broad. Practices under GDPR jurisdiction that don’t take proper precautions may not recognize their liability until it’s too late.
All law offices, no matter their location, will face fines, lawsuits, and downtime in the event of a breach. They could also suffer reputational and financial damage if employees and clients bolt. Because of this, every practice needs a detailed defensive strategy—and luckily, the industry can help.
What the Experts Say
The ABA has passed several resolutions to guide firms as they create cybersecurity protocols. Its rules have evolved with time to reflect the increased severity of online attacks. The group’s first proposal, written in 2014, merely “encouraged” law offices to “develop, implement, and maintain a cybersecurity program that complies with applicable ethical and legal obligations.”
But recently, the ABA got more serious. A 2017 formal opinion required firms to secure confidential information and “take special precautions to protect against inadvertent or unauthorized disclosure(s).”
Finally, last year the group mandated that its members “promptly respond in a coordinated manner to any cyber intrusion.” All practices should have a procedure in place that identifies and removes threats, informs affected parties, and reduces risk.
Of course, before lawyers can advise their clients on cybersecurity, they need to understand these issues themselves. That’s not always easy considering the large number of adverse business outcomes inherent in every breach.
Luckily attorneys can use resources from outside the legal profession, adapting general frameworks and rules to fit their needs. Groups like the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST), and the Center for Internet Security (CIS) will help with this effort.
Practices should use consensus approaches to develop comprehensive information security programs. Once those procedures are set in stone, every employee needs to maintain constant vigilance.
The Best Offense Is a Good Defense
Global law firms must train all personnel to understand and recognize cyber threats. The first order of business is updating access controls and authentication procedures to ensure passwords are as strong as possible. That may sound simple, but many companies shockingly still neglect this integral aspect of security, which could easily give an intruder the keys to an entire network.
Beyond these quick fixes, practices need a 360-degree view of the threat landscape as new online dangers emerge. Firms must use the latest technology to protect data, detect threats, and decrease damage if a cyberattack occurs.
Every practice also needs a comprehensive, individualized protocol that includes appropriate safeguards and training to address employees’ concerns. Firms should evolve these rules as needed to fit the ever-changing digital world.
With cybercrime on the rise, law practices are prime targets for hackers. All firms must develop a robust online security policy, using industry tools as a guide. On an individual level, employees should learn to recognize and defend against threats.
Practices can also partner with providers that use enterprise-grade solutions to protect data. In a world where cybersecurity is recognized as a key risk to the enterprise, law firms that employ the right tools will ensure order in the online court.
