You’ve Been Spoofed! Law Firms’ Best Defenses to Cyberattacks

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Melissa Heelan Stanzione

Law firms continue to struggle with cybersecurity internally, even as the breaches of Hillary Clinton’s campaign chairman’s email account during the recent presidential election provided a potent reminder of the perils of weak security.

Big Law firms are the most vulnerable: An ABA survey shows that twenty-six percent of firms with 500 or more attorneys who responded to the survey experienced a security breach in 2016.

These breaches are part of an upward trend in Big Law. In 2014, 10 percent of large law firms who responded to the survey experienced a security breach and in 2015, the number shot up to 25 percent.

Although there is increased awareness about cybersecurity threats, firms have been unable to chip away at the incidences of security breaches.

Fourteen percent of all law firms responding to the survey experienced a security breach in 2016 and this rate has remained steady for the past four years, according to a ABA report on the survey.

This number is lower than in some industries, but law firms are in a unique and potentially more dangerous situation.

‘Treasure Trove.’

The combination of several factors make law firms particularly vulnerable to attack. They must take a number of necessary steps to safeguard their information and protect against lawsuits, cybersecurity professionals told Bloomberg BNA.

Law firms are “archaic institutions” with outdated software and very sensitive data that is valuable to many different actors, Christopher L. Dore, an attorney with Edelson PC, Chicago, told Bloomberg BNA.

Often, those in control of the software aren’t technologically savvy, making the firms ripe for an attack, Dore said. Dore’s practices focuses on emerging consumer technology and privacy issues.

“Law firms have to recognize that they hold information on behalf of clients” that’s “a treasure trove of information for criminals, competitors and nation-states,” Alan Cohn, an attorney with Steptoe & Johnson LLP , told Bloomberg BNA.

Cohn’s areas of practice include cybersecurity, privacy and national security.

The firms are therefore a “highly attractive target for those entities,” he said.

Law firms should have a “plan in place for the eventuality that something will happen,” Joseph M. Lawlor, a managing director with K2 Intelligence’s cyberdefense practice told Bloomberg BNA.

K2 Intelligence is an “investigative, compliance, and cyber defense services firm,” according to its website.

The Enemies

There are a range of adversaries out there, Lawlor said.

For instance, “there are those who are looking to immediately monetize their access to your data,” he said.

They might sell it to another criminal actor; encrypt the data until you pay or blackmail you by threatening to release the data, Lawlor said.

There are also “sophisticated actors” who have motives that go beyond the physical theft, Cohn said.

For instance, when hackers broke into the networks at Cravath Swaine & Moore LLP in 2015, they were allegedly looking for insider trading information.

Other motives include political embarrassment and destabilization of trust in public officials, such as what happened with Mossack Fonseca, Cohn said.

Hackers leaked documents in 2016 allegedly revealing that the firm helped thousands of people, including politicians and public figures, set up “off-shore” companies to hide their wealth and evade taxes.

Stealing intellectual property to manufacture the same technology overseas more cheaply and undercut the prices of the technology’s originators is another more sophisticated motive, Lawlor said.

“There need to be procedures, practices and training in place to educate all employees” about the threats law firms face and what they need to do when a breach occurs, he said.

The Attack

Adversaries can attack via two routes: outdated technology and spear phishing, Lawlor said.

Spear phishing is a targeted method to gain access to a person’s confidential data via a spoofed e-mail.

A spoof is the use of falsified data such as a forged sender address to masquerade as someone else to gain unauthorized access to a computer system or data.

Lawlor described how an adversary might initiate a hack.

“The first thing an adversary will do is scan your network for easy ways in,” he said.

“If you have unpatched software,” that is, outdated software, then that’s their entry method, Lawlor said.

These are “huge, huge vectors for attacks,” he said.

According to Cisco Systems, Inc.'s 2016 Annual Security Report, 92 percent of Cisco devices on the Internet are running software with known vulnerabilities.

“Aging infrastructure is growing and leaves organizations increasingly vulnerable to compromise,” the report said.

Cisco develops, manufactures and sells technology services and products.

Law firms “have to assume there are vulnerabilities in their systems,” Cohn said.

Even if they’re able to patch all known vulnerabilities, they are subject to advanced threats because of the nature of the information they hold, he said.

Law firms maintain “incredibly sensitive client information” and hold in high regard their reputations and ability to maintain privacy, which makes them such attractive targets, Lawlor said.

Secure the Perimeter

What’s a firm to do?

For starters, law firms must have a strong perimeter security program in place, Lawlor said.

Firms without this type of program could be exposed to liability, even if no data has been compromised.

A lawsuit against Johnson & Bell alleges it failed to protect confidential client information.

No claim has been made that information was stolen.

The firm’s unpatched security system nevertheless put client information at risk, the complaint says.

The suit hit a roadblock Feb. 22 when a federal district court judge ruled that claims had to be heard individually in arbitration, not as a class.

“The industry is notoriously behind the times and is unregulated in terms of security,” Dore said.

Dore is an attorney with Edelson PC, which represents the plaintiffs in the Johnson & Bell lawsuit.

Avoid Exposure

To avoid exposing client information, a strong perimeter security program must be in place with several components, Lawlor said.

  •  A properly configured and updated firewall. A firewall looks at incoming and outbound traffic, blocks attacks and filters bad traffic.
  •  Strong passwords.
  •  Two-factor authentication requirement to access any services publicly accessible. An example is a user name and password along with a numeric six-digit unique security code.
  •  Endpoint monitoring solutions for all devices in the network. This is a combination of an anti-virus program and software tools that can detect bad activity in each device.
  •  Updated software, which includes operating systems and software on those systems.
  •  Trained employees. Employees should know what the threats look like so they don’t fall victim to them. If they do, they must know what procedures to follow to remedy the situation and whom to contact.

“It’s eye-opening to see how many vulnerabilities there are out there,” Lawlor said.

Even with these measures in place, adversaries will try another approach to breach a firm’s security, he said.

In that case, “the easy way in is through your people,” Lawlor said.

This includes a method like spear phishing.

Go Phish

Spear phishing can happen when an actor either spoofs an e-mail address or compromises a personal e-mail account, enabling him or her to send e-mails directly from that account, Lawlor said.

Once a spear phishing victim opens the phony e-mail, they are compelled to do something, like click on a weaponized link, which injects malware onto their computer, he said.

Malware is software intended to disable or damage computer systems.

At a typical company, about 12 percent of employees will try to click on such a link, Lawlor said.

Due Diligence

“The best security measure against spear phishing is prevention,” Lawlor said.

This includes assessments and training, he said.

Firms should get quarterly cyber-risk and vulnerability risk assessments “for ever,” Lawlor said.

Lawlor recently conducted such a test for a client and “we found dozens of devices on a client’s network that they didn’t know they had,” he said.

Firms must do “due diligence to know all the assets under” their roofs and “make sure they are protected,” Lawlor said.

Plan for Breach

There has to be a plan in place for the eventuality that a breach will occur, Lawlor said.

An incident response plan must:

  •  clearly lay out responsibilities and roles within the organization for how to handle breaches;
  •  clearly delineate the communication chain with redundancies in case someone is sick or quits; and
  •  include practice scenarios with simulated attacks.

Firms also need to back up all data off-site because otherwise, once you’re hacked, your choices “are limited to never seeing the data again or paying a ransom,” Lawlor said.

Understanding the threats will also help protect your firm, Cohn said.

Information sharing arrangements such as ones offered by the Legal Services Information Sharing & Analysis Organization are a step in the right direction, he said.

By sharing their information, LS-ISAO members provide “threat indicators” for the organization’s analysts to research, which can lead to “actionable intelligence for dissemination,” according to the group’s website.

Cost Comparison

The costs a large law firm can expect to incur to update its security and then maintain it aren’t small but they don’t compare to those that result from a system breach, Dore said.

It might cost several hundred thousand or even $1 million to maintain a system but that’s “a heck of a lot smaller than the risk,” he said.

After a breach, a firm can expect long-term costs to include the loss of dozens of clients and there’s a potential for “massive malpractice claims,” Dore said.

To contact the reporter on this story: Melissa Heelan Stanzione in Washington at mstanzione@bna.com

To contact the editor responsible for this story: Jessie Kokrda Kamens at jkamens@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security