Law firms house large amounts of confidential and sensitive information, so it’s no surprise they are a high-valued target for malicious actors. During busy seasons, like tax season and now with the Covid-19 outbreak, the risk increases as more employees work remotely.
For attackers, law firms are the “middle-men,” with valuable client data across specific industries throughout their systems. They represent one lock to pick that can possibly access the internet protocol of potentially hundreds of corporations and individuals.
As firms work with their clients, they are consistently responsible for hundreds of documents. This workflow presents enormous risk given the volume of personally identifiable data, such as Social Security numbers, within these documents, as well as the number of handlers accessing and moving them.
Attackers thrive on this sense of urgency as employees move fast and may become lax in maintaining security best practices. In fact, 90% of security data breaches involve human error, and law firms are no exception.
According to the American Bar Association’s “2019 Legal Technology Survey Report,” over a quarter of respondents (26%) reported that a security breach has hit their firm, a number that has grown 12% in three years.
The same survey also found that almost one-fifth of respondents reported that they do not know whether their firm has experienced a security breach. This is a detriment to the organization, as everyone from paralegals to partners must be aware, trained, and prepared to thwart a potential attack.
Law firms must ask themselves if security controls apply equally when staff is working from home or from other remote locations. Ensuring their people are equipped to handle a potential attack, no matter the time of year, is critical to avoiding a potential attack.
Increased Tech Adoption Will Lead to Success
As law firms face increasing cybersecurity risks, it is imperative that they understand how the technologies throughout their business can put them in danger.
Law is a 24/7/365 business and lawyers need to be available to clients at all times. This means they need to have access to data with the click of a button. With that, implementing technology options such as accessibility to the cloud can make ease of access and guaranteed retrieval of information a reality, but can also create cybersecurity risk through holes in the cloud infrastructure.
In addition, providing offsite employees with data and application access is critical, but security must not be lost in the name of efficiency. Technology implemented across agencies must be effective, yet simple and understand and use, so all employees can remain cyber-aware at home and in the office.
With this in mind, organizations must address whether their work at home strategies are fully developed before they are activated. For instance, does a business have firm-issued laptops on hand, are they extending or enhancing their security controls for their work at home situations? Organizations do not want to be working these kinks out when the emergency hits.
Breaches & Cyber Concerns
Both small and large firms face the gamut of cyberattacks—ransomware, malware, and phishing attack risks, etc.—just look at recent firms in South Dakota.
However, the impact of these attacks can be different given the “middle-man” nature of law firms. Law firms are particularly vulnerable to have their online brands exploited and used to hit their customers or business partners via impersonation attack given the level of trust organizations have in their firms and how easy it is for attackers to determine who their clients are.
The Covid-19 outbreak is opening the doors for attackers to utilize false urgency over email, such sending phishing emails like “Immediate Response required from the COVID-19 emergency” to break into systems. With this in mind, businesses must have their systems prepared to handle remote infrastructure challenges. Law firms must be vigilant in order not to become the next nationwide breaches.
Compliance Regulations & Data Archiving
No matter where their employees are working, firms also have a responsibility to safeguard client data across all of their systems, it needs to be a business competency. The importance has only increased given privacy acts such as CCPA and the NY Shield Act. If firms do not manage information in a systematic way with record-keeping procedures and policies, then they run the risk of losing data in a moment’s notice, facing regulatory fines and losing customer trust.
With archiving systems in place, law firms will know exactly what data they have on hand at all times, allowing them to not only comply with laws such as GDPR and CCPA, but also respond to requests in a moment’s notice.
By correctly safeguarding and backing up data, firms can search for information with pinpoint accuracy while casting a wide net: helping both small and large firms work efficiently, especially during busy times of year.
While some law firms might look at archiving and email retention as having a negative impact on their business, maintaining sensitive data back-up is critical to overcoming a potential data breach, allowing quick data recovery and restoration and preventing business downtime and client strife.
Busy and high-volume times of year can often put a strain on law firms, opening them up to potential cyber risk. Having secure systems in place and educated employees operating those systems will help to ensure law firms avoid potential cyberattacks and data breaches.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Garth Landers is the director of product marketing for Mimecast. Prior to joining Mimecast, he was a research director/analyst at Gartner with primary coverage responsibilities for advising clients on archiving management software and related topics such as e-discovery and information governance policies and procedures.