“Did you hear that [insert large corporation here] was hacked?”
It seems like this question—along with a word of warning to anyone holding an account with said corporation—comes up every few weeks in conversations with friends, colleagues, and even my mom. Data breaches are habitually making headlines with stories about hackers after personal consumer data, extortionists using ransomware for financial gain, or hacktivists looking to blow the whistle on unethical or illegal activity.
It was hard to miss headlines about the Equifax breach where hackers accessed the sensitive personal information of millions of Americans. Other buzzworthy cybercrime incidents—such as the Ashley Madison breach—were conducted by hackers who wanted to expose a scandal.
As corporations respond to breaches, there’s no doubt a law firm is helping them pick up the pieces. But how well are law firms looking out for themselves?
Putting a Target on the Backs of Law Firms
Because law firms help their clients with the nitty gritty details for mergers and acquisitions, intellectual property, and other confidential business activities, they’re prime targets for hackers. They have a treasure trove of information that cyber pirates can use for insider trading schemes or to expose individuals.
Take the Panama Papers breach in 2016. More than 11 million files were leaked from the database of a Panama-based law firm. The documents exposed the offshore dealings of several world leaders as well as more than 100 politicians and public officials. While that firm might have been targeted for its high-profile clients and offshore services, it’s part and parcel of every law firm’s business to house and discuss sensitive client information.
Another 2016 law firm attack that didn’t get as much air time surrounded an insider trading ruse. The Securities and Exchange Commission (SEC) charged three traders with trading based on information stolen from two New York-based law firms. The hackers installed malware on the law firms’ networks, enabling them to access employee email accounts. Using information discovered in the confidential emails, they obtained almost three million dollars in illegal profits.
Pulling off a heist like this requires a complicated combination of hacking skills and stock market expertise. Some traders have even posted want ads on cyber criminal forums to find hackers. As the bad actors behind these crimes get increasingly sophisticated, law firms are forced to shift their focus to security.
Going All in on Security Is Key
In a post about cybersecurity takeaways from Relativity Fest 2017, April Runft shares insights from cybersecurity and forensic experts, including John deCraen, director of global security risk services at Alvarez & Marsal, who explained the biggest cybersecurity obstacle he sees in the field.
“The number one driver in most cybersecurity breaches is ineffective leadership and board culture,” deCraen said. “I find this in every organization I assess, without fail. They don’t have the budget they need; they’re woefully understaffed; they don’t have the tools or activities in place they should have.”
To run a successful cybersecurity program, you need to have the attention of leadership and enough resources to thoroughly get the job done. Of course, it’s also important to ensure the technology you use is doing its part to keep the data safe.
In a recent interview with Dan Patterson from TechRepublic, Microsoft’s chief information security officer for Azure Government Matt Rathbun and Relativity’s chief security officer Amanda Fennell discussed security in the e-discovery cloud. The two discuss why partnerships between cloud providers and software developers—such as Microsoft Azure and RelativityOne—can help keep your most sensitive data safe.
Building a Culture of Security
While your software and security experts can build a fortress around your data, security is an organization-wide responsibility. Relativity’s former chief security officer Bill Lederer offered some tips to a culture of security in the post 5 Tactics to Improve Your Security This Year. He shared a few additional tactics to help fend off some common cyber threats and vulnerabilities, including:
1. Phishing Scams
Have you ever received an email that appears to be from someone you know or an organization you work with, but something looks or sounds off? These scams are designed to obtain information by tricking you into thinking the request is from a trusted source.
2. Weak Passwords
Some password no-nos have been engrained in our brains—such as not using your birthdate as your bank pin number and never writing passwords down—but there are more bad practices that haven’t yet become common practice and could leave you susceptible to breaches.
3. Failure to Test Your Program
With hackers getting more sophisticated, it can be difficult to test for every situation. However, if you’re not running tests to stimulate real-life situations, you might miss vulnerabilities that could be proactively fixed.
4. Physical Devices
Outdated software, USB sticks and other plug-in devices, and improper network security standards can leave your organization vulnerable to attacks.
For advice about how to combat these vulnerabilities, read the full post.