What Law Firms Need to Know About Cybersecurity
To most people, the documents on a lawyer’s laptop wouldn’t exactly make for riveting reading material. But if you’re a hacker, it’s a different story. Law firms are the perfect target for clandestine dabbling in insider trading, intellectual property theft, trade secrets, and more. For cybercriminals who want the upper hand in lawsuits or negotiations, or simply a bit of ransom money, a lawyer’s hard drive can be gold.
This is how law firms can increase their cybersecurity and reduce the risk of hacking.
How hacks happen
Within the hacker community, law firms are ideal targets for two reasons. There’s the sensitivity of the information they handle, of course, but also the fact that many small firms haven’t adopted the tech to keep them safe. And even major firms who can afford robust solutions are nonetheless vulnerable. In May 2020, a high-profile firm representing celebrity clients like Lady Gaga and Madonna experienced a ransomware attack.
Security breaches have grown so common for law firms that sadly, it’s not unwise to employ the philosophy of “when, not if.” A breach can include incidents like a lost or stolen computer or smartphone, hacker, physical break-in, or website exploit. Some estimates predict that cybercrime will increase by 70% over the next five years. And according to the ABA, 42% of law firms with up to 100 employees have experienced a data breach.
Blame for the breach
Frustratingly, many hacks happen via third-party vendors—not the law firm itself. There were two such security breaches at global law firms in February 2021. Hackers accessed mediation documents and other confidential client material, but not through email phishing or predictable passwords. In one case, the blame fell on a file transfer software platform used by the law firm. Hackers claimed to have stolen documents from the firm, posting screenshots allegedly taken from their files on the internet.
Internally at each firm, best practices for cybersecurity were in place, yet both had to inform clients that criminals may have seen their private information. That’s a difficult situation to be in — especially if you’re not directly responsible. "It’s not our fault, we swear!” is cold comfort to clients.
Make a counterstrategy
For lawyers, cybersecurity can feel daunting. It helps to break down tactics within a counter-strategy to prepare for threats. Start by zeroing in on three P’s: policies, proaction, and partners.
- Policies: Within your organization, instigate company-wide best practices for cybersecurity health. Humans will always make mistakes, but regular training and phishing tests can prevent small errors. Enforce strong passwords, use multi-factor authentication, and update permissions to keep data access tight and lean. Lastly, create a detailed response plan so that if/when a breach happens, you know what steps to take.
- Proaction: Be proactive about your security audits. A good rule of thumb is to schedule quarterly internal audits (conducted by your own team), and annual external audits (conducted by an outside party). Sample checklists for internal audits can be found online — find one that works, and tick off the boxes. Generally speaking, that internal checklist might include things like physical security, a roundtable with the IT department, data backups and encryption, and employee training.
- Partners: Finally, make sure you understand the privacy policies of your business partners. Almost two-thirds of data breaches are linked to external vendors, so invest in the right tech and make sure you have a thorough procurement process in place. The most secure platforms can protect you from becoming a statistic. Notarize is one of the most trusted partners for law firms looking to digitize their business. Electronically signed and notarized legal documents are highly sensitive, which makes it imperative to collect and manage them on a platform whose goal is to bring trust online.