Cyber attacks against law firms are on the rise, with an almost 12% increase in law firm security breaches between 2019 and 2020.
Unfortunately, threats against law firms and legal organizations continue to rise, ever since the unprecedented data leak of the Panama Papers. More recently, you may have read about a massive database breach that exposed legal records from 190 law firms, including registration forms, security authentication details, email addresses, and encrypted passwords. In 2020 alone, at least seven large law firm ransomware attacks were highlighted in the media, and 80% of law firms reported phishing attempts.
When successful, these attacks may cause disclosure of confidential and privileged information, compromised communications, loss of data, public information leaks, damage to reputation via a loss of public and client trust, and in severe cases even malpractice lawsuits. In the first quarter of 2021, the average ransom payment for small to midsize law firms was $220,298, up more than 40% from Q4 of 2020. In addition, the average number of downtime days due to law firm cybersecurity attacks had leaped from just 10 in 2020 to 23.
Why the Barrage Against the Legal Sector?
If you’re feeling overwhelmed by the sheer scale of this threat landscape, you might find yourself asking why cyber attacks on law firms are growing in both number and sophistication. The first reason is the wealth of sensitive and confidential data that law firms hold, a virtual treasure trove for today’s hackers. These records sell for increasingly high amounts on the dark web.
Law firms are also known to be a traditional industry, heavily reliant on email communications, slow to adopt new technologies and security solutions, and with a reputation of being resistant to change. As remote working has become the norm, many law firms have been pushed into new technology adoption with mixed results (cat lawyer, anyone?) and started using home networks and personal mobile devices for work, often with rushed or incomplete security training or technology in place. As new threats appear all the time, such as voice phishing, session hijacking, man-in-the-middle, and more, law firm cybersecurity teams (and individual legal professionals), are struggling to keep up. This human factor shouldn’t be underestimated, especially when considering an industry that’s well-known as traditional.
While this problem isn’t limited to law firms alone, (after all – who hasn’t gone remote in the last 2 years?) for law firms, the nature of the data and the importance of a crystal clear reputation makes law firm cybersecurity even more of an imperative. Legal professionals also have an ethical and legal duty to ensure technology competency. The American Bar Association includes a rule for lawyers to stay on top of the “benefits and risks” associated with technology, and 38 out of 50 states have added this requirement to their own ethical rules for licensed attorneys. The ABA also includes a ruling on secure communications, detailing that firms must “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
The Responsibility for Law Firm Cyber Security Ultimately Falls on the Employees
Despite the ethical obligation, studies have shown that legal professionals are significantly more likely to put data at risk than the average employee, with 56% admitting that they or a colleague had accidentally shared data externally, compared to 27% of industry employees in general. For more than half of people, these data breaches happen as a result of falling victim to a phishing email. This means that as a law firm, your employees are your first, and perhaps only, line of defense. As employees are the main players for protecting your firm and your reputation from the consequences of a cyberattack, and it’s clear that these employees are struggling to keep up with the growing threat, today’s firms have a responsibility to meet this gap with education. However, not all education is created equally.
For example, one approach to education is communicating the law firm’s information security policy. Unfortunately, if your employees don’t feel that security is their shared responsibility, or are only trained on a new law firm information security policy during a set training session outside of their usual working hours, the training is unlikely to stick. Online or in-person training is often less effective and difficult to organize in line with a lawyer’s busy working life. When training can be an integrated element of the working day, there’s no need for scheduling space in multiple calendars.
As well as this, as lawyers and other legal professionals often work out of hours doing overtime where they may be more likely to slip up, training needs to happen as part of their normal working process. Engaging employees to learn at the moment where they make the mistake is a proven technique known as Just in Time training.
Law Firm Security Requirements are Growing: The Time for Action is Now
To effect real behavioral change, (and your reputation depends on it) a security awareness program needs to be relevant, targeted, and personalized to the challenges of today’s legal employees. A one-size-fits-all phishing simulation program is often too general, failing to engage or train all of your staff while targeting certain employees can spread disharmony and distrust, or signal to the organization that only one department or team is really at risk. Coupled with the lower levels of technological know-how, this approach to phishing simulations can cause law firm employees to feel that phishing scams are someone else’s problem, despite today’s IT networks being increasingly interconnected.
At CybeReady, we’ve identified four key elements of effective Security Awareness Training:
- Continuous Learning: The program shouldn’t rely on singular training experiences – it should be conducted year-round to 100% of employees.
- Procedural Knowledge: Rather than rely on declarative information that you read from a handout or computer screen, training should allow for real-world practice.
- Immediate Feedback: It should involve concrete, clear, and in-the-moment feedback that leverages the natural moment of learning when mistakes have just occurred.
- Diverse Experience: Repeating the same exercises over and over only teaches one thing. Security Awareness programs need to support the creation of varied cognitive schemas.
Your security awareness program should take into account these four elements, plus consider the unique challenges facing the legal industry today. It’s only with an effective security awareness program that you can truly hone in on the most dangerous threats. This program needs to be built around engaging those who are most critical in protecting your environment – your employees.
Want to learn more about how to protect against cyberattacks on law firms, and create a security awareness program that meets today’s threats? Contact us to see a demo of the CybeReady Autonomous Security Awareness Program.