Posted by Gina Than Sep 23, 2023 5:19:44 AM

In 2021, the American Bar Association found that a staggering 25% of law firms had fallen victim to data breaches at some point.

With the global average cost of a data breach estimated at US$4.24 million, according to a report published by IBM Security, law firms that aren’t already scrambling to fortify their cybersecurity measures may find themselves sitting ducks.

Any legal professional not living under a rock in 2016 will have heard of the Panama Papers and the subsequent folding of Mossack Fonseca - the threat of total and complete cybersecurity disaster for law firms is never too remote to be discounted.

This was underscored yet again in April 2023 with the news that two prominent law firms (Proskauer Rose and HWL Ebsworth) were reported to have encountered major data breaches. Their stories highlight that no one is safe: cybersecurity is an ongoing battle and neglected at peril.

Ransomware Attack

HWL Ebsworth (Australia) was targeted by ALPHV/Blackcat resulting in the theft of a colossal 4TB of sensitive data. The compromised information included identities, financial reports, client documentation, and even credit card details; as part of their campaign, the hackers released around 1.5TB of data onto the dark web.

The aftermath of this attack plunged the firm into a long and arduous battle with reported expenditures of over $250,000, and a staggering 5,000 hours spent in an attempt to reclaim control. 

ALPHV/Blackcat has been labelled a “ransomware-as-a-service” (RaaS) group - for those less familiar, this model allows affiliates to pay to use ransomware, which makes such attacks significantly easier. This enables even those who lack technical sophistication to deploy ransomware against their targets with comparative ease.

 

Human Negligence / Error 

In a startling revelation, it was found that for over six months Proskauer Rose (USA) had exposed confidential client data to anyone with an internet connection. The firm attributed this lapse to a vendor engaged to create an information portal - there were inadequate access control measures on an unsecured Microsoft Azure cloud server. 

This incident highlights a crucial reality that many choose to ignore: while hackers are responsible for many data breaches, a more significant number stem from simple human error. This is backed by a comprehensive study conducted by Stanford University in 2020, which found that a whopping 88% of data breaches could be attributed to negligence.

These high-profile cases, while alarming, are likely just the tip of the iceberg. The prevailing sentiment is that there are two kinds of victims: those that have fallen prey and are painfully aware of it and those that have been breached but remain blissfully unaware (for now).

This begs the question: how can your law firm mitigate its risk from cyber-threats?

 

Security Audit

As the digital landscape constantly evolves, so do the tactics employed by cybercriminals. A proactive approach that any serious law firm should consider is the regular conduct of comprehensive security audits. These exercises serve as a means to systematically identify vulnerabilities within your systems.

So by routinely conducting risk assessments, law firms improve the probability of their defence strategies being agile and responsive. An improved understanding of your firm’s weak spots will better equip you to take preemptive measures, significantly reducing your firm's susceptibility to cyberattacks and data breaches.

 

Access Controls

Another crucial measure is imposing stringent controls on information access within your organisation.

Jim Jones, a senior fellow at the Centre on Ethics and the Legal Profession, highlights a common oversight: many law firms permit broad access to client information across the entire organisation. This indiscriminate dissemination of data leaves the firm susceptible to a myriad of vulnerabilities. Fortunately, rectifying this is usually quite simple.

The right Practice and Management System (PMS) will allow you to customise and control access, significantly curtailing the risks of data breaches. If you aren’t already familiar with access control, it is a data security practice that allows organisations to meticulously govern which users possess the privilege of accessing specific information. A fringe benefit is that employees can be restricted to viewing matters to which they require access only, reducing business risk associated with conflicts of interest, employee malice and the like.

With the integration of a streamlined workflow automation system, you gain the ability to control individual user authority to view or modify files and case documents without compromising data access speed.

Employee Training and Awareness

Recent findings from the Solicitors Regulation Authority spotlight an unsettling trend: an astonishing 20% of the surveyed firms had neglected to provide their staff with specialised cyber training.

Whilst it would be unrealistic to expect all employees to be comprehensively well-versed in state-of-the-art data security practices, basic training and reminders remain the simplest and most effective tools, and can prove the difference between safety and disaster. 

The onus therefore falls upon firms’ management to conduct comprehensive training initiatives to familiarise employees with best practices for data security. This would include adeptly detecting and thwarting threats such as phishing attacks (still one of the most common tactics employed by cybercriminals) and imparting knowledge about password and data hygiene. 

 

Multi-factor Authentication

If you haven't done so already, multi-factor authentication (MFA) should be implemented immediately. MFA is widely regarded as an effective first line of defence against vulnerabilities such as phishing, brute-force attacks, or password leakages as a result of data breaches. 

 

Private Cloud 

An additional step to fortify your firm’s data security is the adoption of a private cloud. 

Although both public and private cloud environments offer a significant security upgrade over individual hard drives, private clouds distinguish themselves by providing an added layer of data protection.

Their dedicated nature, confined exclusively to a single organisation, severely reduces the chances of unauthorised access and potential data breaches. For a more comprehensive understanding of how the private cloud bolsters data security, delve into our earlier article on this subject.

OK–what now?

Tessaract’s unwavering commitment to data security is exemplified by our ISO 27001 certification (considered one of the gold standards for information security management) and is testament to our dedication to fortifying your business against threats.

Built from the ground up to be cloud-native, our PMS solution offers unrivalled security and scalability, to safeguard your firm's data integrity and future. If you’re interested in learning more about how Tessaract can help improve your firm’s approach to data security, please reach out.

Gina Than

Written by Gina Than