A law firm holds some of the most sensitive information imaginable. Divorce proceedings, corporate mergers, intellectual property, criminal defense strategies, medical records, financial statements.

If a hacker steals credit card numbers from a retailer, the retailer suffers. If a hacker steals client data from a law firm, the clients suffer. Their cases are exposed. Their secrets are revealed. Their trust is broken.

Cybercriminals love targeting law firms due to the lack of security. Let’s discuss some of the unique risks associated with law firms, as well as providing solutions to help ensure client information is protected from cyber threats.

Why Law Firms Are Prime Targets

Many law firms are an easy target for hackers because:
1. They have a great deal of information to share. Law firms maintain private and proprietary information (e.g., mergers, acquisitions, litigation strategies, intellectual property, and personal client data). That private and proprietary information can be extremely valuable to those who may use that information against competitors, criminals, or people who would like to harm others.

2. They have less security than banks Law firms are generally small to medium-sized businesses and don't have nearly as big a budget for security compared to banks. Hackers know this fact and target those entities with the weakest security measures.

3. They handle client funds Real estate transactions, settlements, and trust accounts often pass through law firms. There are various ways hackers can easily divert funds via email business compromise attacks.

4. Downtime costs them money When a retail business suffers a cyber attack, they can typically shut down operations for a day or two and suffer no long-term consequences. When a law firm suffers a cyber attack, they may not be able to access case files, miss court deadlines, or lose a client’s trust if the case isn't properly handled because of the attack.

5. Regulatory pressure is increasing. Data protection authorities are fining law firms that fail to protect client data. The risk is not just reputational, it is financial.

A professional security audit from Red Secure Tech  can help you understand your firm's current risk level.
Law firms are not optional targets. They are priority targets.

The Top Cyber Threats Facing Law Firms

Here are the most common and dangerous threats law firms face today.

Threat 1: Ransomware 

Ransomware is the largest risk to lawyers today due to attackers encrypting case files, emails, and databases. Law firms will be incapable of accessing client documents, court filings, or calendars while this occurs.

Law firms are at high risk of suffering extended downtime and will not find any sympathy from the courts for having missed court dates because of a ransomware attack.

How ransomware gets into law firms: Ransomware typically arrives in a law firm via phishing emails, exposed remote desktop protocols, compromised vendor accounts, and malicious downloads from fake legal research sites.

Threat 2: Business Email Compromise (BECs) 

BEC has become the most financially damaging cybercrime to lawyers. BEC attacks occur when an attacker compromises a lawyer’s email account, watches the lawyer’s activities for weeks, then sends the client an email requesting payment for a bogus invoice.

Law firms are at risk of BEC because law firms typically work with lawyers who are out of the office, processing large wire transfers repeatedly and most law firms do not have two-factor authentication on their email accounts.

If your law firm suffers a data breach, Red Secure Tech can provide it with an emergency incident response to reduce its damages.

Threat 3: Phishing and Credential Theft

Phishing attacks through email are common with phishing email messages impersonating court document notifications or document sharing requests.  A lawyer receives a phishing email, clicks on a link and enters their user name and password on a fraudulent web site.  

This allows the hacker to gain access to the lawyer's email and subsequently allows the hacker to view all communications that were confidential.

Threat 4: Third Party Vendor Breaches

Law Firms usually work with third-party vendors (e.g. document management systems, IT Support, e-discovery platforms and cloud storage providers). If a vendor is compromised, then personal client data could be stolen, without any direct compromise to the Law Firm. Nevertheless, the Law Firm will still be held liable for any lost client data.

Red Secure Tech offers vulnerability assessments that include third-party risk evaluation.

Threat 5: Unsecured Remote Access

Lawyers work from home, from court, from coffee shops. They use public Wi-Fi at airports and hotels. Every remote connection is a potential entry point for hackers.

Threat 6: Lack of Backups

Some law firms do not back up their data at all. Others back up to the same server that holds their live data. If ransomware encrypts the server, it encrypts the backups too. Case files, client communications, billing records, all gone.
Legal and Regulatory Requirements

Law practices have certain legal obligations to protect their clients' information:
1. Solicitor-client privilege: Confidential information between a solicitor and a client must always be kept confidential; if a hacker gains access to this information, the solicitor-client privilege may no longer apply.

2. GDPR & UK Data Protection Act: Under both laws, a breach must be reported within 72 hours or the law firm could incur fines equal up to €20 million or 4% of the total turnover of the business.

3. SRA rules: The Solicitors Regulation Authority has specific rules about what security measures each firm must have.

4. Cyber Essentials: As a precondition of applying for government contracts, many lawyers will have to become Cyber Essentials certified before being able to apply.

To assist with compliance with the legal profession's heritage standards, Red Secure Technology provide a variety of services, one of them being Penetration Testing, to help law firms demonstrate compliance with the legal industry's heritage standards.

How to Protect Client Data: A Practical Guide

Here is exactly what law firms need to do to protect client data.

Control 1: Enable Multi-Factor Authentication Everywhere

Multi-factor authentication (MFA) is the single most effective security control. A stolen password is not enough to access an account. The perpetrator will also need either the attorney's cell phone or security key to complete the attack.

Where can I enable Multi-Factor Authentication (MFA)?  On all email accounts, document-sharing programs, billing software applications, remote-access VPNs, cloud storage, and law office management programs without exceptions.

Control 2: Create Business Email Compromise (BEC) Prevention Mechanisms

Stop BEC attacks before they happen.
Payment verification protocols: Require verification by phone for wire transfers, a callback process for wire transfer approvals, and/or an agreed-upon secret or code word for wire transfer approvals.

Email security: Establish security settings to provide the following warnings and restrictions to external submitters: 
1. a warning if the email is sent from an external party
2. restrict any automatic forwarding to an external domain
3. alert the Administrator of suspicious email forwarding rules

Control 3: Secure Remote Access

Lawyers have the right to practice law remotely and must have that right.
1. VPN will be necessary for all remote access to firm resources.
2. Multi-Factor Authentication is required to access the VPN.
3. Must follow the firm’s devices compliance policy.
4. Remote Desktop Protocol should be disabled unless absolutely necessary.

Control 4: Educate Lawyers and Staff

Technology is not the only answer; People must be trained for success.
Annual security awareness training for all employees: How to spot phishing emails, why MFA is important, how to handle client data securely, and what to do if they suspect a breach.

Test your training with phishing simulations. See who clicks. Provide immediate training to those who fail.

Control 5: Backing up customer data.

Backups should be the very last means of defence against a ransom attack.

Also, you must use the 3-2-1 principle in your backups - that is three copies of your data, two separate media types and one copy off-site.

Critical backup requirements are immutable backups (they cannot be deleted or changed). Backups should be tested regularly. Backups should be kept in an offline location.

Control 6: Segment Your Network

Do not put everything on the same network. Client files on one server, guest Wi-Fi on another. Separate network for printers and IoT devices.

If a receptionist clicks a phishing link, the attacker cannot reach client files because the network is segmented.

Control 7: Manage Vendors

Your vendors are an extension of your firm. Vet them.
Questions to ask vendors: Do they have MFA? Do they encrypt client data? Do they have a breach notification policy? They have to carry cyber insurance?

Vendors are required to notify once a breach has occurred within 24 hours, be open to auditing security, delete client data after the end of the engagement, and carry sufficient amounts of cyber insurance.

Control 8: Encrypt your client data

If your data is stolen, encryption will still protect it.
At Rest: All client files on laptops and servers should have encryption and all cloud storage with client files should have encryption.

In Transit: Encrypt all emails and file transfers and any web traffic.

Full disk encryption: Make sure you have BitLocker enabled on Windows-based laptops and FileVault enabled on Mac-based laptops. This is a requirement.

Control 9: Create an Incident Response Plan

When a breach happens, you will not have time to figure out what to do. Plan now.

Your incident response plan should include: Who to contact first, how to preserve evidence, when to notify clients, how to communicate with affected clients, who is responsible for media inquiries, and how to restore from backups.

Practice the plan with a tabletop exercise once a year. Red Secure Tech offers penetration testing that includes incident response readiness evaluations.

Control 10: Obtain Cyber Insurance

Cyber insurance does not mitigate your risk of experiencing a breach; however, it assists you with recovering afterward.

A typical policy may cover the following: Ransom payments, forensic investigations costs, legal fees, credit monitoring services for affected clients, and public relations assistance.

Read the small print carefully: A number of policies require that you have certain security controls in place or they may not reimburse you for a claim against the policy.

Law Office Security and Safety Checklist

Immediate:  

1. Enable MFA for every email account.  
2. Add a banner indicating an external email upon receiving one.  
3. Conduct Phishing simulations for company employees and educate them on proper procedures to follow should they receive one.
4. Replace all passwords on all devices – set them back to factory defaults.

Short Term:   

1. Create a backup of all your files following the 3-2-1 backup rule; keep a copy in the Cloud, an external drive, and on-site.  
2. Making it mandatory that employees use a VPN connection when working from home.    
3. Encrypt all laptops and USB flash drives used by the firm.  
4. Review all vendors’ security policy requirements in their contracts.  
5. Develop an incident response policy for your law firm.

Long Term:   

1. Have a segmented structure for the technology infrastructure.
2. Get Cyber Essentials certification.
3. Get a Cyber Liability Policy.
4. To test the incident response plan, conduct a tabletop exercise.
5. Create quarterly security awareness training for employees.

For Help, Please Contact Red Secure Tech and Schedule a Comprehensive Security Assessment for your Law Firm.  You can use this review to address any risk and ensure compliance with your business.

The Bottom Line

Cybercriminals target law firms. Law firms store a large amount of confidential and sensitive information (client data), frequently wire transfer large amounts of money, and many law firms have poor physical and cyber security compared to other professional service firms.

Establish an attorney-client relationship with your clients' data, so if compromised you will break their trust.

Law firms should protect their firms and their clients by enabling MFA on all accounts, training their employees to recognize phishing, backing up client data to immutable offline storage, requiring VPN access for all remote access, and encrypting all laptops.

Don't do any of the above because a regulation requires it; do it for the sake of the relationship and trust you have established with your clients based upon the sensitive nature of the information you hold for them.

You need to do this today; your clients cannot wait!

Red Secure Tech can help, Go to Red Secure Tech for how we can assist with your law firm and client's cybersecurity.

FAQ Section

Do small law firms need cybersecurity or is this only for large firms?

Small law firms are actually more vulnerable than large firms. Attackers know that small firms have fewer resources and weaker security. Red Secure Tech offers affordable security assessments tailored to small and medium law firms.

Is email secure enough to send client documents?

Standard email is not secure. Email is sent in plain text and can be intercepted. Use encrypted email or secure client portals.

What steps should I take after uncovering a data breach? 

Disconnect the compromised device from the network, reach out to your cyber insurance provider, contract with a forensic IT company, communicate with any clients you are legally obligated to inform, change all of your passwords, and restore to clean backups. In addition, Red Secure Tech provides urgent assistance when an incident occurs.

How frequently should law firms provide security awareness training? 

At a minimum, once every 12 months and conduct phishing simulations on a quarterly basis, but many law firms are now delivering these sessions every six months.

Should law firms obtain Cyber Essentials Certification? 

Yes, Cyber Essentials Certification shows your clients and regulators that you have implemented basic security measures to protect data. Red Secure Tech can assist you in obtaining Cyber Essentials Certification within the scope of their security services.