Dig into a law firm, and you’ll find secrets. Sometimes these secrets are mundane, like who’s getting divorced, or who’s getting cut out of the will. Sometimes, however, these secrets can shake nations and economies.
Huge companies are merging and getting acquired, national leaders are hiding graft in numbered accounts, and you might find all those secrets within the server at a nondescript law firm – which might be possibly the most unsafe place to hide it.
Law firms may be extremely discrete when protecting their clients’ identities from judges, the media, and other lawyers, but their track record is less than stellar when it comes to the digital realm. Those who’ve heard of the firm Mossack Fonseca or the Panama Papers (a 2TB data leak that exposed how the wealthy avoid paying taxes) may know that the firm in question was:
- Running a version of WordPress that was 2 years out of date.
- Running a version of Drupal that was three years out of date.
- Running its web server on the same network as its mail server.
- Running its web server without a firewall.
- Running an out-of-date plugin known as “Revolution Slider,” which contained a file upload vulnerability that had been documented since 2014.
This multitude of sins collectively led to a scandal that, among other things, brought down the Icelandic Prime Minister. What’s more troubling, however, is that Mossack Fonseca wasn’t a standout among law firms. Many if not most law firms have an equally bad security posture.
The ABA Reports an Overall Low Level of Readiness for Cybersecurity
Law firms aren’t just rich – they’re full of information that could make a hacker rich. Instead of stealing a bunch of records from a company and selling the data piece by piece, an attacker could instead gain advance information about a merger or acquisition and make millions on the stock market.
Worries about stolen law firm data are anything but hypothetical. A recent study shows that of 200 law firms assessed from 2016 to 2017, all 200 had been at the very least surveilled by attackers – but 40% had been breached and didn’t know it.
A larger survey shows more troubling results. Every year, the American Bar Association releases an annual survey on legal technology. The 2017 results appeared in December, and they portray an industry that is still grappling with the ramifications of cybercrime.
- At least one-third of companies with between 10 and 49 attorneys have been breached, and nearly one-fourth of companies with over 500 attorneys reported the same. 43% of companies overall reported malware infections.
- Almost 10% of firms with over 500 attorneys reported a breach that affected client data – the worst possible form of breach for a legal firm.
- Of the remaining breached firms, 38% reported loss of billable hours, 34% were required to pay a consultant to repair their data, and 23% were forced to pay to replace equipment.
- Less than 5% of law firms report having a Chief Security Officer in charge of their data security.
Law Firms Need to Adjust Their Security Posture
Law firms need to rapidly improve their information security expertise, but as the fourth bullet shows, many are unprepared for that reality. Even for firms of over 500 attorneys, the majority do not report that their security is handled by a specialized executive. (Instead they tend to report that the CIO is in charge of defense).
IT staffing, even at major law firms, has not historically been especially robust. To become secure, they need tools which can allow a small number of individuals – who may not specialize in information security – to rapidly assess their security posture and provide improvements.
The Safe-T Software-Defined Access Suite acts as a force multiplier. A single administrator can set secure email and data-sharing policies for an entire company with just a few clicks, while even enabling advanced features that can hide the organization’s attack surface from attackers. Don’t join the ranks of Mossack Fonseca, DLA Piper, or Proskauer & Rose – start using Safe-T with a free trial today!