A list recently compiled by the cyber threat intelligence company Flashpoint (via Crain’s Chicago Business) reveals that law firms are not immune to cyber threats and are indeed active targets for today’s cybercriminals. Since January 2016, 48 elite law firms have been targeted by the criminal “Oleras” and his (or her) gang members attempting to access confidential client information for use in insider trading plots. While there has yet to be any indication that the hackers were successful, it raises the question of when law firms will be held to the same (or any) standards that are starting to be applied to other industries.
While the defense industry now has DFARS 252.204-7012 (and the NIST 800-171 control framework) and the financial industry has PCI DSS, no widely applicable or enforceable compliance standard exists for law firms. It’s also not entirely clear when law firms are required to report a breach. A 2014 Law Firm Cyber Survey conducted by Marsh identified some interesting statistics:
- 79% of respondents in aggregate viewed cyber/privacy security as one of their top 10 risks in their overall risk strategy.
- 72% said their firm has not assessed and scaled the cost of a data breach based on the information it retains.
- 51% said that their law firms either have not taken measures to insure their cyber risk (41%) or do not know (10%) if their firm has taken measures.
- 62% have not calculated the effective revenue lost or extra expenses incurred following a cyber-attack.
This sounds strikingly similar to the defense industry a decade ago. Organizations realize they should do something, but most don’t know how or where to start. They lack in house expertise, and most, 98% according to Marsh, view cybersecurity strictly as a function of IT and the group responsible for the overall management of cyber and privacy risks.
Last year, the American Bar Association reported in its Legal Technology Survey that 1 in 4 firms with at least 100 attorneys have experienced a data breach. It’s unlikely that smaller firms without in-house expertise or security control implementations would even know if a data breach had occurred, much less have the ability to determine what data had been compromised. As an industry that routinely pushes for their clients to protect themselves against risks, the results show that not all firms practice what they preach.
Regardless of your stance on the issue, your data needs protecting. CyberSheath has experience with applying cybersecurity strategies with law firms and can assist you and your organization in securing your data. Start with an assessment today, to identify your weaknesses and gaps.