Law Firms Continue to be Targeted by Cyber Criminals

By Jeff Schroeder • May 6, 2016

A list recently compiled by the cyber threat intelligence company Flashpoint (via Crain’s Chicago Business) reveals that law firms are not immune to cyber threats and are indeed active targets for today’s cybercriminals. Since January 2016, 48 elite law firms have been targeted by the criminal “Oleras” and his (or her) gang members attempting to access confidential client information for use in insider trading plots. While there has yet to be any indication that the hackers were successful, it raises the question of when law firms will be held to the same (or any) standards that are starting to be applied to other industries.

While the defense industry now has DFARS 252.204-7012 (and the NIST 800-171 control framework) and the financial industry has PCI DSS, no widely applicable or enforceable compliance standard exists for law firms. It’s also not entirely clear when law firms are required to report a breach. A 2014 Law Firm Cyber Survey conducted by Marsh identified some interesting statistics:

  • 79% of respondents in aggregate viewed cyber/privacy security as one of their top 10 risks in their overall risk strategy.
  • 72% said their firm has not assessed and scaled the cost of a data breach based on the information it retains.
  • 51% said that their law firms either have not taken measures to insure their cyber risk (41%) or do not know (10%) if their firm has taken measures.
  • 62% have not calculated the effective revenue lost or extra expenses incurred following a cyber-attack.

This sounds strikingly similar to the defense industry a decade ago. Organizations realize they should do something, but most don’t know how or where to start. They lack in house expertise, and most, 98% according to Marsh, view cybersecurity strictly as a function of IT and the group responsible for the overall management of cyber and privacy risks.

Last year, the American Bar Association reported in its Legal Technology Survey that 1 in 4 firms with at least 100 attorneys have experienced a data breach. It’s unlikely that smaller firms without in-house expertise or security control implementations would even know if a data breach had occurred, much less have the ability to determine what data had been compromised. As an industry that routinely pushes for their clients to protect themselves against risks, the results show that not all firms practice what they preach.

Regardless of your stance on the issue, your data needs protecting.  CyberSheath has experience with applying cybersecurity strategies with law firms and can assist you and your organization in securing your data.  Start with an assessment today, to identify your weaknesses and gaps.

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Trace Security