What Lawyers Need to Do to Defend Their Clients and Themselves from Cyber Risk
Blog Article Published: 11/02/2022
Originally published by Ericom.
Written by Nick Kael, CTO, Ericom.
Absolute trust is the essential basis of the relationship between law firms and their clients. Lawyers steer clients through complex and often sensitive personal and business situations, helping them navigate difficult issues to gain and retain the upper hand in disputes. Law firms must zealously guard the information they hold and demonstrate rock-solid reliability and confidentiality with every action they take. Any security lapse might drive a permanent wedge into the relationship between lawyer and client.
It is therefore surprising – perhaps even shocking – that the cybersecurity standards of many law firms are simply not up to par. Despite law firms being known targets for cyberattacks, most law firms have failed to implement modern security practices. This can negatively impact their ability to ensure the reliability and confidentiality their customers demand and require.
Law firms are a highly attractive target for cyber attackers for a number of reasons:
- Access to personal data - The nature of lawyers’ work dictates that they have access to sensitive and confidential personal and business information. Gaining access to this data could enable attackers to demand ransom from the law firm, extort clients for hefty ransoms, and leverage personal data to craft convincing social engineering attacks.
- Access to financial information - Law firms often have access to clients’ escrow and other financial accounts, as well as additional financial resources. Breaching these resources could result in an attractive payday for cybercriminals.
- Concerns about brand perception and regulatory risk - Law firms are contractually obligated to protect confidential client information and, in many cases, bound by regulatory requirements as well. Following a breach, law firms might be subject to legal and regulatory penalties and suffer significant damage to their reputations. To avoid these negative outcomes, some law firms might prefer to quietly pay ransom rather than risk public exposure.
- Lack of security practices - While security awareness and implementation of modern security practices are growing in law firms, adoption rates for modern security technologies are still low. For many attackers, it’s an ROI game. Weak security practices make attacks easier and more fruitful, leading to still more attacks on law firms.
Despite lawyers’ professional expertise in interpreting laws, regulations and legal judgments relating to cyber law, firms still seem to lag behind when it comes to their own cybersecurity practices. Cyber attackers, of course, are not waiting for them to gear up. This gap in awareness vs. practice is probably due to a number of reasons:
- Lack of dedicated cyber staff - Dedicated security professionals can help law firms keep cyber protection up to date, determine how to allocate resources most effectively, and ensure that necessary processes are implemented. According to the ABA’s 2021 Legal Technology Survey Report, larger firms are more likely to have a professional on staff whose sole responsibility is security. Smaller firms tend to work with external consultants or depend on IT generalists.
- Insufficient cloud security savvy – Firms that transition to cloud or hybrid infrastructure approaches, or even simply adopt cloud services like Google Docs and OneDrive, require a cloud-based security approach. However, firms that have recently moved to the cloud may be unaware of the need to protect new attack surfaces.While they might assume that their practices are secure, they are in fact vulnerable. The same applies for internal private apps, which might be cloud-enabled but insufficiently secured.
- Reliance on third parties - Businesses today rely extensively on external parties and service providers to drive their business and help them complete their tasks. Law firms work with numerous third parties, including private investigators, e-discovery and documentation services, legal researchers, document reviewers, case managers, client relationship management services and billing firms. However, if these third parties do not have excellent security hygiene, they could be putting the law firm at risk.
- Use of unmanaged devices - In today’s hybrid work and “always on” reality, company resources are often breached through unmanaged devices. These could be personal devices used by employees or third-party devices that are not managed to firm standards. Unmanaged devices are vulnerable to attacks and may serve as conduits that enable malware and attacker access into law firm systems and resources.
The path to an enhanced security posture starts with awareness of the problem and continues with implementation of modern security techniques. Such techniques include:
Cybersecurity professionals know what is needed to secure law firms’ digital resources. If your law firm is too small to support a full-time cybersecurity expert, consider outsourcing security to a managed security service provider (MSSP).
Minimize the attack surface of your law firm to protect it from attacks and data breaches. The most common – and dangerous – attack types that can affect law firms are:
- Phishing - In phishing attacks, cybercriminals mimic trusted entities and attempt to exfiltrate valuable information that can be used for further access (like usernames and passwords) or sensitive data itself (like bank account numbers). The ABA found that 81% of law firms use spam filters, which is a basic first step in protecting against phishing, but powerless against many attacks. The vast majority of phishing techniques utilize a spoofed website “sign-in page” to collect user details. A robust Remote Browser Isolation (RBI) solution will block these spoofed sites or open them in read-only mode to prevent users from being tricked into entering credentials.
- Public-facing Application Vulnerabilities - Applications that are accessible from both the internal law firm network and the internet may be used to penetrate the organization. Unless secured, these applications can be exploited to deploy malware or serve as an entry point for hackers who then move laterally across firm networks to find valuable data or deliver ransomware or other malware.
- Third Parties and Unmanaged Devices - As mentioned above, unmanaged devices and third parties pose significant risks to law firms and can be exploited to penetrate the organization. Securing them with modern technologies significantly reduces the attack surface.
Effective security solutions can eliminate a lot of the heavy lifting required to protect your data. When choosing a solution, make sure to select one that can efficiently protect against emerging and still-unknown threats as well as those that are known. If possible, opt for solutions that are simple to implement and update, and do not interfere with user activity or impact your business operations.
As a law firm, select solutions that can help you:
- Secure large volumes of sensitive data over long periods of time
- Ensure regulatory compliance
- Operate in the cloud and secure cloud operations
- Protect against third party device risk
- Defend against web-borne and zero-day attacks
Zero Trust security is an effective and secure approach for law firms dealing with sensitive data and business operations that rely on web apps, SaaS applications and third-party services. Zero Trust is based on the premise of “never trust, always verify”, meaning that access is granted only after verifying that users are who they claim to be and authorized to access the specific resource.
But even if users who access corporate apps and enterprise SaaS sites from unmanaged devices can be verified as authorized (which is questionable, given new methods of circumventing MFA), there is no way to ascertain that their devices are safe and will not introduce malware into the apps, or be coopted by threat agents to hack in.
This type of risk from unmanaged devices requires a unique approach that “inverts” RBI to protect corporate web and cloud apps. In its traditional application, RBI protects browsers, endpoints and the corporate assets against threats from web-based malware, malicious attachments and downloads, and credential theft by creating a cloud-based airgap between the web and endpoint browsers.
In its “inverted” state, RBI airgaps corporate web apps and SaaS and cloud applications from malware that might be present on unmanaged endpoints, as well as from illicit access via stolen credentials or brute force attacks. As a cloud-based offering it cloaks application surfaces from attackers who scan for open ports or vulnerabilities and enforces granular controls on app and data access. Look for a solution that is also clientless, so there’s no need to install software on users’ personal devices or the devices of third-party service providers.
For law firms whose users work on unmanaged personal devices or that use third-party services, an RBI solution is this “inverted” state is a valuable protection against the 71% of human-operated ransomware cases that are initiated by an unmanaged device, usually internet facing, that is compromised. As important to law firm security, “traditional” use of RBI protects them from zero-day malware delivered via the web and the sophisticated social engineering attacks and business email compromise (BEC) to which even security-aware users fall prey.
It’s critical that law firms take advantage of the Zero Trust cyber solutions that are already available in the market so they can deliver secure, reliable service to clients and protect them, as well as the firm partners, from cyber risk.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.