Law Firms Continue to be Targeted by Cyber Criminals

By Jeff Schroeder • May 6, 2016

A list recently compiled by the cyber threat intelligence company Flashpoint (via Crain’s Chicago Business) reveals that law firms are not immune to cyber threats and are indeed active targets for today’s cybercriminals. Since January 2016, 48 elite law firms have been targeted by the criminal “Oleras” and his (or her) gang members attempting to access confidential client information for use in insider trading plots. While there has yet to be any indication that the hackers were successful, it raises the question of when law firms will be held to the same (or any) standards that are starting to be applied to other industries.

While the defense industry now has DFARS 252.204-7012 (and the NIST 800-171 control framework) and the financial industry has PCI DSS, no widely applicable or enforceable compliance standard exists for law firms. It’s also not entirely clear when law firms are required to report a breach. A 2014 Law Firm Cyber Survey conducted by Marsh identified some interesting statistics:

  • 79% of respondents in aggregate viewed cyber/privacy security as one of their top 10 risks in their overall risk strategy.
  • 72% said their firm has not assessed and scaled the cost of a data breach based on the information it retains.
  • 51% said that their law firms either have not taken measures to insure their cyber risk (41%) or do not know (10%) if their firm has taken measures.
  • 62% have not calculated the effective revenue lost or extra expenses incurred following a cyber-attack.

This sounds strikingly similar to the defense industry a decade ago. Organizations realize they should do something, but most don’t know how or where to start. They lack in house expertise, and most, 98% according to Marsh, view cybersecurity strictly as a function of IT and the group responsible for the overall management of cyber and privacy risks.

Last year, the American Bar Association reported in its Legal Technology Survey that 1 in 4 firms with at least 100 attorneys have experienced a data breach. It’s unlikely that smaller firms without in-house expertise or security control implementations would even know if a data breach had occurred, much less have the ability to determine what data had been compromised. As an industry that routinely pushes for their clients to protect themselves against risks, the results show that not all firms practice what they preach.

Regardless of your stance on the issue, your data needs protecting.  CyberSheath has experience with applying cybersecurity strategies with law firms and can assist you and your organization in securing your data.  Start with an assessment today, to identify your weaknesses and gaps.

CyberSheath Blog

How to Safeguard Your Company from Phishing

Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none…

3 Tools to Help Defend Your IT Infrastructure from Threats

With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks.  CyberSheath can help. We offer services to build on all the great work you have already done…

DNS Filtering for Additional Protection of IT Systems

Phase one of securing your IT infrastructure should include protecting your endpoints and safeguarding your employees from phishing attempts. After you have implemented these controls, the next logical step is to launch a DNS filtering solution.   What is DNS filtering and why do you need it? Domain name server…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO