Over the last 10 years law firms have transitioned from a predominantly paper-based practice to in some cases becoming fully digital. This has been accelerated in response to remote work associated with COVID-19. Previously, lawyers primarily had to worry about physical security of their file management and offices. This was easier, because even if there was a physical breach to the firm, thieves would need a U-Haul to move data which was voluminous and in paper form. The transition to digital file management has been associated with ever increasing risks of data breach, reputational damage and litigation risk(s) associated with a cyberattack.
What used to be unlikely has now become possible almost instantly form anywhere in the world. The battlefield is now global with cybercriminals becoming harder to detect, apprehend and prosecute, especially when they reside in foreign jurisdictions. Rewards are also higher than ever for successful attacks. Cybercriminals know law firms are a gold mine for sensitive solicitor-client privileged communication, financial and personal identification information. All law firm’s need to integrate cybersecurity risk mitigation into their business model to the same (if not greater) extent than they would physical security of their premises.
Methods of Attack of Against Law Firms
Law firms are vulnerable to cyberthreats because of the personal information they are known to possess. When a lawyer is hired, they are required to identify the client, gather occupation and personal financial details, especially if the lawyer is working with financial institutions. Beyond this personal information, law firms possess significant confidential information in criminal disclosure, such as sexual abuse material or violent crime scene evidence. Unintended disclosure of this material not only impacts the reputation of the firm but could revictimize victims of crime.
Cybercriminals likely expect some level of cyber risk management from financial institutions or larger law firms. However, smaller businesses often fail to make appropriate investments in cybersecurity. This could be for budget reasons, complacency or simply the false belief that only larger organizations with higher rewards are targeted. There are a number of threat actors who may target the legal sector, the most likely are cybercriminals and insiders.
Cybercriminals will target law firms because of the sensitive information they are known to possess. These individuals will likely seek to acquire confidential information about the firm’s clients for financial gain or reputational damage. If a law firm’s network is compromised, these criminals could use that data for identity theft or simply to expose the personal dealings of the firm’s clients. Law firms often implement role-based access to the network for security reasons, this is why they are vulnerable to spear-phishing attacks.
For example, a secretary or junior lawyer of the law firm could receive a personal email from who they believe is the owner of the business, prompting them to save a compromised file on the network. This person may not question this request because the instructions are being sent from an authority figure in the organization. In addition to phishing attacks law firms are also vulnerable to brute-force attacks. These methods of attack may be particularly successful where employees have passwords or do not have two-fact authentication enabled. In either case, cybercriminals would likely install a variety of malware which may include spyware or ransomware.
Insiders such as other lawyers or staff are a threat to law firms. Although law firms implement role-based access to critical data, this becomes less effective with other lawyers in the firm, especially on larger files with multiple lawyers working. This is why threats from internal lawyers are highest, they have access to substantial organizational data because their professional obligations require them to do so. They also may have access to previous firm files for learning or precedents, increasing vulnerability to these actors.
Methods of attack from insiders are the same as those used by cybercriminals. The primary difference is that insiders may be less likely to detect. Insiders could install malware on company property prior to being terminated or simply steal organizational data. In many cases cybercriminals simply want access to data and require infiltration techniques like spear-phishing or brute force attacks. Insiders simply have to log into the network or gain further access privileges to steal this information and could leave undetected. Law firms are especially vulnerable to insiders because they are required to provide liberal access to information for legal training and to ensure professional competencies. If the organization does not fully support the lawyer in its professional obligations, it could face a claim from the client for ineffective representation, which ultimately increases its exposure to potential damage from insiders. Moreover, the attack does not have to be sophisticated because lawyers already have a large degree of access to the network.
Strategies to Reduce Cyber Risk
There are four key strategies law firms can use to mitigate risk: (1) increase cybersecurity culture in the firm; (2) strengthen technology to protect networks; (3) develop an incidence response plan; and (4) integrate better cybersecurity behavior for remote work.
Cybersecurity Culture
Strengthening cybersecurity culture in the firm will help continue to reduce its cybersecurity risks to an acceptable level. The first step to strengthening the overall cybersecurity culture in the organization is to have leadership by example from the top of the organization. By setting the example of good practices within the firm by partners or business owners, the firm will be better able to protect itself over time. This will strengthen the overall expectation in the firm for cybersecurity awareness and corresponding behavior by staff.
Lawyers should integrate cybersecurity awareness the same way they would continuing professional development. Lawyers are good at maintaining their legal skills, cybersecurity should be treated the same way. Support staff and all persons with an entry point into the firm should be involved, so that cybersecurity within the business is not simply viewed as just an IT issue.
Technology
Integrating certain technologies will help the organization achieve its goals. Items such as integrating a proper firewall will help protect the organization from DDoS attacks. Proper email scanning and antivirus software will help support the firm’s intrusion detection systems. Running vulnerability scanners and encouraging proper patching by lawyers will also help the organization achieve its cybersecurity goals through the use of technology.
Ensuring the use of two-factor authentication for all ports of entry into the network will help protect the organization from weak employee password habits. Tools such as encrypted password managers can further be used to strengthen passwords and protect the organization from brute-force attacks. Strengthening protection within the cloud is another area firms can improve to reduce risks.
Incidence Response Plan
Having a proper incidence response plan will help the firm better respond to a cyberthreat and improve its overall cybersecurity risk management. Beyond the firm simply drafting an internal plan, it should also seek external input from specialized third parties. Having occasional audits of the firm’s response plan will ensure it is up to date with evolving threats and resilient to attacks. The firm should also test the effectiveness of its plan. It can be tested with individual employees or across the organization to confirm the firm’s ability to properly detect, contain and eradicate cyberthreats.
Remote Work
As lawyers work remote, the firm’s vulnerability to cyberthreats increases because of its reduced ability to monitor and enforce good practice behavior. By ensuring better data protection such as disc encryption on both company and personal devices, the organization can reduce its risks in the event of device theft or loss, which increases with remote work.
Implementing policies with respect to using public internet to access the company network will improve cybersecurity for remote work. Installing a VPN on both personal and company devices accessed by lawyers will improve encryption for data in transit and support the organizations goals of mitigating cybersecurity risk.
Metrics to Assess Cyber Security
A metric is used to assess an organizations cybersecurity effectiveness against threats or the overall efficacy of its stated goals. A firm could assess the effectiveness of its overall cybersecurity culture by talking to staff about cybersecurity issues and questioning them on how they would respond. This can be done during official training sessions or just casually. This simple method could be used to test on an individual level, the overall awareness of the employee about cybersecurity importance in the organization.
Analyzing firewall and antivirus data provides an organization with information on the effectiveness of its technology. Comparing this data with website traffic would yield information on whether unusual or malicious traffic is being successfully blocked by the network. Running vulnerability scanners could also be used to assess the effectiveness of an organization’s technology overall.
Spot checking employee computers which are being used for remote work can be done to determine compliance with security patching and maintenance. Reviewing how employees connect to the internet when working remotely can be used to ensure compliance with protecting data in transit. Confirming the use of password managers and device encryption on personal mobile devices will also help gauge the efficacy of the firm’s remote work policies.
Protective Technologies
Some of the protective technologies which can be deployed to protect critical systems, networks and data include antivirus software, firewalls, network access control, virtual private networks, identification, authentication software and device encryption.
Antivirus Software
Antivirus software can help protect early intrusion efforts into the network since it is installed directly on the host device. Properly functioning antivirus software requires devices to be updated regularly and patched for new vulnerabilities. Use of this software will help display characteristics of known viruses and contain them in accordance with the software. It can further help with scanning emails or attachments for malware and protect the network at the device level.
Firewalls
A firewall will assist with creating a perimeter around the firm’s internal network, protecting it from untrusted connections. Implementing Simple Mail Transfer Protocol (SMTP) will help filter emails the organization receives over the internet. Depending on its configuration, it can reject certain emails when they do not meet permissions standards.
Firewalls can also be implemented to protect a firm’s website from DDoS attacks. Settings can be configured to limit certain suspicious IP addresses, including limiting the number of visitors to the site at a given time.
Virtual Private Networks (VPN)
With lawyers more frequently working from home, vulnerabilities remain with their use of unprotected or open internet. Although the organization may have other protective technologies, they will not protect data in transit. Using a VPN when lawyers work remote will create an encrypted tunnel for data in transit to the network and reduce the risk of snooping.
Ensuring a VPN is installed on both organizational property and the personal devices of the remote workers will best ensure compliance. A policy for working remotely on personal smartphones should require a VPN connection.
Network Access Control
Logical access control(s) will limit unauthorized access to the organizations cyber assets, networks and data. This technology will help protect the organization from both external and internal threats seeking to infiltrate or disable intrusion detection systems. Implementing Mandatory Access Control (MAC) will further strengthen role-based access within the network. This additional safeguard would protect the organization from insiders venturing into unauthorized portions of the network.
Identification Technologies
Implementing identification software will protect the organization from unauthorized access to the network. Requiring employees to have designated usernames is a first step but should also include two-factor authentication in the event passwords are weak. At the device level the organization could also require MAC addresses as a basis for access, which would ensure only specified devices have network privileges.
Having a system in place for the de-provisioning of rights to access the system will help ensure controlled access to the network by the appropriate personnel at the time. This would also be useful when an employee leaves the organization or is terminated. It could also protect the organization with new employees to slowly scale up their access as trust is built.
Authentication Technologies
Employees may reuse passwords for multiple accounts and fail to use a password manager for improved password security. Strengthening authentication will help protect the organization from external threats or unauthorized access by insiders. In addition to email authentication, the organization could use fingerprint, smart cards or signatures to access critical systems within the network. For very sensitive portions of the network, the firm could require biometrics authentication. Some of the options could be retina pattern or fingerprint recognition.
Device Encryption
Implementing proper disc encryption on company computers will help protect the organization’s data in the event of device theft or loss. The organization should also discuss this requirement for the use of personal mobile devices to access the network by employees. A vulnerability could exist where lawyers use their personal smartphones to access cloud data, which could be accessed without proper encryption.
Audit Trails
Audit trails can be implemented to trace actions taken within the system or with specific users. The organization can use logs to promote accountability and investigate users who venture into restricted portions of the network. The proper functioning of these technologies would help the organization identify a breach by a cybercriminal or an insider venturing into restricted portions of the network. Implementing identity and access management (IAM) principles such as recording user actions on users with greater privilege will help protect critical assets and sensitive network access.
Legal Considerations
Both the firm and individual lawyers are often sued by clients, so legal considerations should be viewed as a shared responsibility between the firm and its lawyers. The first legal consideration both parties should consider is how to implement cybersecurity legislation and reporting guidelines into law firm procedures or protocols. Cybersecurity compliance legislation is complex and overlaps between jurisdictions where lawyers may practice. An organization needs to have a plan in place to confirm applicable legislation and legal requirements upon a breach. Ensuring accurate interpretation of the law and compliance with it is the first step in developing a risk mitigation strategy.
Knowing the applicable legislation is no good unless it is properly integrated into the organization. Having a proper structed training system for all parties in the organization will help mitigate risk and promote compliance. If awareness and training is insufficient, it is less likely potential threats will be reported and acted on. This could lead to situations where the organization fails to comply with reporting obligations or containing the threat.
Exploring insurance requirements for businesses is another legal consideration which should be considered. Lawyers are required to have error and omission insurance to protect clients and the public. A cybersecurity breach could theoretically have the same damage to the client as a lawyer acting without capacity. Reviewing update in the insurance landscape, such as minimum cybersecurity coverage requirements to protect the public should form part of a comprehensive risk mitigation strategy. Organizations should also review their technology and practices to ensure they will remain covered by an insurance company, in the event of a data breach.
Firms should also consider their relationship with third-parties and whether their compliance obligations will be compromised in the event of cybersecurity breach by a third-party. Affiliate organizations may not be compliant with relevant legislation which could expose a firm to legal liability by association. Having an understanding of who the organization is doing business with and what precautions those business are taking will help develop a comprehensive risk mitigation strategy.
Developing a proper response plan is another important legal consideration. This will help ensure the firm knows in advance of a data breach its legal requirements. This will help avoid poor decision making and strengthen compliance. The response plan could also list the appropriate experts the organization would require to mitigate its litigation and reputational risks.
Having independent audits by trained security professionals will help ensure firms are compliant with legal requirements. Audits may reveal weaknesses in a firm’s response plan or early detection systems. In addition, they will help modernize firms’ cybersecurity defences over time in response to evolving threats. If an organization is able to show it was not reckless to potential threats and always took proactive efforts to protect the public, a court may find that mitigating.
Jordan Donich is a lawyer at Donich Law Toronto, Ontario. He represents clients in English and French in civil litigation, professional regulation and complex criminal defense. His background in cybersecurity is the basis for the firm's dedicated practice in internet crime.