Risk Update

Information Security Updates — BigLaw Versus Mid/Small Data Breach Data, SRA Law Firm Security Trends and Advice

Some recent information security news and updates focused on law firms. First, Eileen Garczynski at Ames & Gough flagged this story the other day: “Amid BigLaw Data Attacks, Breaches Surge For Smaller Firms” —

  • “In mid-January, a cyberattack targeting New York law firm Cleary Gottlieb Steen & Hamilton LLP exposed the firm’s email servers to unauthorized actors, potentially breaching the personal information of about 40 of the city’s residents, it told New York officials.”
  • “Cleary, however, was just one of the hundreds of law firms — from BigLaw firms to solo offices — that have reported data incidents in the past year and a half as they become increasingly targeted by cybercriminals, according to public records and cybersecurity experts.”
  • “Based on extensive public record requests, Law360 Pulse identified about 90 law firms that reported data breaches to authorities across 17 states in 2021, almost doubling the number from 2020, which also tracked the same states except for Illinois. The number also continues to rise this year, with at least 27 law firms already reporting data incidents in the first four months.”
  • “And while the number of data breaches reported by large law firms has remained steady at about a handful, such incidents reported by midsize and small law firms have increased significantly since 2020.”
  • “Similar to the breaches recorded in 2020, nearly all the recently hit firms that have notified state authorities identified external breaches — including phishing, hacking and malware attacks — as the most commonly identified cause of data exposure.”
  • “Meanwhile, less than 10% of firms reported that they experienced data breaches through other factors, such as a third-party data breach, stolen or lost devices, or insider wrongdoing.”
  • “The breakdown in percentages reflects that smaller, midsize firms often ‘don’t have the staff, resources and expertise’ of larger law firms and are therefore compromised far more often, said Frank Gillman, a former BigLaw chief information officer who now works at consulting firm Vertex Advisors. While smaller firms also spend money on security defense systems, Gillman said many lack the expertise to identify the risk and react before it becomes a bigger issue.”
  • “And the idea of hiring a sophisticated and experienced forensic expert is also not as appealing with law firms being more conscious about their expenses during the pandemic, Rast added, raising another reason why smaller firms become more vulnerable than the larger firms. ‘It’s a resource issue, as well as a training issue,’ Rast said. ‘Larger firms generally have the budgets to roll out the rather extensive training, [which] is now pretty standard.'”

Next via the SRA: “Risk Outlook report: information security and cybercrime in a new normal” —

  • “Covid-19 brought about greater use of IT. The post-pandemic ‘new normal’ will likely see that trend continue. However, as with most changes, this increased dependence on IT brings both opportunities and challenges. As well as creating opportunities and advantages for businesses and consumers, it also creates more opportunities for cybercriminals. And although we know firms have adapted to these threats and taken steps to defend themselves, cybercriminals continue to adapt too.”
  • “The fundamental challenge of how cybercrime threatens the data and information held by firms has not changed in the last few years. However, the reduced commercial activity in some areas during the lockdowns affected some types and levels of cybercrime.”
  • “The most significant threats, which we expect to remain the key areas, fall into three broad groups: phishing and email modification, ransomware, third-party attacks”
  • “We are seeing an increase in email frauds that target a wider range of practice areas, in addition to conveyancing, where firms might be less alert to this threat. Another sign of adaptation comes from a report of criminals intercepting and falsifying physical mail between a firm and client to request funds.”
  • “With firms focusing on the security of their IT systems, it is possible that criminals might make more use of false physical documents or voice-based phishing in the hope that their targets are less prepared.”
  • “Ransomware will continue to increase in sophistication and to use a wider range of methods to influence its targets. It is likely to increasingly become fully automated, attacking any target with suitable weaknesses.”
  • “Most attacks will be random and be because the firm has a weakness that could be detected. However, some might be targeted intentionally. This could be used by unscrupulous parties to damage the operations of a firm that is acting for an opponent in litigation, for example. Those acting for clients operating nationally-significant infrastructure could be at higher risk of this in this time of international tension. The same applies to firms identified as acting for Ukrainian, Russian or Belarussian clients. There have been reports of cyberattacks used as a deniable weapon and solicitors’ firms might be seen, rightly or wrongly, as a less secure target than some of their clients.”
  • “Any firm holding money or confidential information is a potential target for theft. And any firm could be targeted with ransomware. As such, protecting clients’ information must be a priority for all firms. Effective protection means having the right culture, systems and training.”
  • “One of the certainties about the ‘new normal’ is that information security threats will still be there. The underlying reasons why criminals try to hack legal firms have not changed. And in a legal market that is increasingly dependent on IT systems, criminals have more potential opportunities to attack using that method.”
  • “As we said in our previous Risk Outlook report, we want to build a better dialogue between ourselves and firms. This helps to build the best understanding and decision making, and lets us know how these risks are directly affecting those we regulate.”