It seems in recent years that there have been certain “industries du jour” which popped up as the favorite targets of hackers. Well, right now (and for the unforeseeable future) law firms have become ground zero for security breaches — a favorite target of hackers due to a perceived lack of strenuous security protocols. Perceived, however accurate, can still fuel the misguided opportunists to seek out more “penetrable” security defenses.

Protecting the Sensitive and Valuable Data Stored by Law Firms

To wit, behind every eye-catching headline is a legal industry that’s fighting it out – helping to support entrepreneurs and big corporations in a power struggle to dominate their industry. From patent disputes to employment contracts, law firms have a lot of exposure to sensitive information.  Because of their involvement, confidential information is stored on the enterprise systems that law firms use.

This makes them a juicy target for hackers that want to steal consumer information and corporate intelligence. For an example of this, look no further than the Panama Papers – “…an unprecedented leak of 11.5m files from the database of the world’s fourth-biggest offshore law firm, Mossack Fonseca.”

Although devastating, it’s only one example of many law firm data breaches. Not long ago news broke that a ransomware attack was successfully executed against yet another multinational firm – DLA Piper. This ransomware attack left the firm, with estimated revenues of $2.5 billion, completely without access to its own data.

“Law firms are the subject of targeted attacks for one simple reason,” says John Sweeney, President of LogicForce. “Their servers hold incredibly valuable information. That includes businesses’ IP, medical records, bank information, even government secrets. For hackers looking for information they can monetize, there is no better place to start.”

These headlines, buried among the others, make it clear that the legal industry is facing an unprecedented cybersecurity challenge. And solving this problem starts with helping firms realize they’ve been victims.

A staggering 40% of law firms did not know they were breached in 2016. About one in six also reported the loss of important files and information.

The Law Firm Cybersecurity Scorecard includes an array of assessments – from cyber defenses, crisis management procedures, and post-hack responses. The report comes to a chilling conclusion: “…40% of surveyed law firms had experienced a data breach in 2016 and did not know about it.”

Part of the challenge is the skyrocketing cost of cybersecurity. Hiring an in-house team simply isn’t feasible for most law firms. Instead, they rely on consumer-grade technology that is ill-equipped for the threats they are facing.

The solution, as we’ve seen in many industries, is to outsource cybersecurity to trusted firms that can offer heavy-hitting, managed solutions at an affordable rate. SaaS (Software as a Service) is long overdue in this space, and thankfully it’s becoming more and more available (thanks in part to NYC IT security firms like Krantz Secure Technologies).

Preparing Law Firms for Data Breaches

There are things attorneys and other legal professionals can do to start upping their defenses. Here’s a list of ways law firms can guard against security breaches:

  1. The American Bar Association has published a comprehensive guide for law firms – including both methods for preventing and responding to cyber attacks.
  2. Firm managers need to create a data security plan that speaks to every member of their team. Educate employees on strategies for identifying phishing attacks and other dangerous threats aimed at fooling people into compromising networks (social engineering).
  3. Engage outside IT security experts and have risk assessments completed on a regular basis. If you can identify vulnerabilities, you can put a security plan in place to minimize or eliminate them.
  4. Communicate and enforce a password policy that limits access and requires authorized users to regularly change their credentials.
  5. Conduct a weekly check for patches or other updates to computer security software.
  6. Develop a comprehensive breach response plan. After you’ve been hacked, it will be too late to develop a competent response that protects the firm’s reputation.

It’s our hope that legal professionals will wake up to the realities of cyber threats in the legal industry. We’ve witnessed the catastrophe that comes from the breach of an unprepared company. If you understand the threat, and then use honest assessment to develop improvements and response plans, you will find that operating in the digital age doesn’t have to be a nightmare.

Mobility at Risk

As law firms become more mobile, they face substantially greater challenges meeting their ethical obligation to keep client information confidential. The progress, convenience, and efficiency that technology has brought to law practices carry with it a risk against which we must be vigilant.

According to the American Bar Association’s 2016 Legal Technology Survey Report, more than one-quarter of firms with more than 500 lawyers admitted they experienced some type of breach. Approximately 40 percent of those firms reported significant resulting business downtime and loss of billable hours, and approximately 25 percent recounted hefty fees to correct the problems. About one in six also reported a loss of important files and information.

In short, no law firm is immune to cybercrime. In fact, “we may see a development of more stringent, client-driven data security obligations baked into the engagement letter,” opines Tyler G. Newby, San Francisco, co-chair of the ABA Section of Litigation’s Privacy & Data Security Committee. “This may be similar to how businesses require certain security processes of their vendors, for example under a business associate agreement.”

Law Firms and Inadequate Cybersecurity

On December 8, 2016, Judge John Darrah of the Northern District of Illinois unsealed the complaint in Jason Shore and Coinabul, LLC v. Johnson & Bell, Ltd. Johnson Bell is a Chicago-based firm with approximately 100 attorneys, and it is one of the 500 largest law firms in the country.

Shore hired Johnson Bell in August 2014 to defend a lawsuit, depositing $30,000 into the firm’s trust account. Johnson Bell terminated its representation of Shore in February 2015.

Shore styles the case as a class action, seeking damages under separate counts for breach of contract (legal malpractice), negligence, unjust enrichment, and breach of fiduciary duty.

According to the court, Shore filed its complaint in April 2016, under seal, because “the documents initiating the case . . . ‘reveal[ed], in explicit detail, where and how [Johnson Bell] has left its clients’ confidential information unsecured and unprotected,'” allegedly exposing plaintiffs to “‘a heightened risk of . . . injuries.'” The case is part of a larger effort by the plaintiff’s attorneys to investigate, identify, and sue major law firms with inadequate cybersecurity.

Information held by law firms is commercially sensitive and most communication is done via email, including sending and receiving privileged documents, making firms “particularly vulnerable” to hackers, says Founder of DigitalLawUK Peter Wright.

According to Wright, firms’ email systems are “frequently unencrypted end to end, and sometimes the servers themselves are unencrypted.” If confidential information is illicitly obtained, particularly that relating to business deals and mergers, it could be used for insider trading or be sold to a third party.

A key problem, says Wright, is the “haphazard development” of firms’ IT systems, which often have “inherent problems” and lack strategic security plans. Firms also often worry, he says, that clients, who “they are beholden to,” will dislike like less convenient encrypted solutions.

In 2016, insurance company QBE estimated that hackers had stolen £85 million from British law firms over 18 months, after learning they tend to make bank transfers on Fridays and posing as lawyers or clients. This has been “a real problem for the part of the profession in real estate,” says Wright, although firms are wising up to the problem.

Alleged Technology Vulnerabilities

Among other things, the complaint identifies “three instances of a ‘JBoss Vulnerability.’ Plaintiffs contend the vulnerabilities compromise the security of their confidential information.”

First, the complaint alleges that Johnson Bell’s “Web time tracking system” was built on a “‘JBoss Application Server,’ which implements Java (a virtual computing language).” According to Shore, when the complaint was filed in April 2016, Johnson Bell’s “JBoss system [wa]s woefully out‑of‑date and suffers from a critical vulnerability.”

Johnson Bell was, at the time of the complaint, still running version 4.0.2 of JBoss, which the complaint alleges was introduced in 2005, and had an “end of life” recommendation. According to the complaint, the most current version of the JBoss product, now called “WildFly,” is version 10.

The website of JBoss’s publisher, Red Hat, alleges that the JBoss version 4.0 family was introduced in September 2004, full support was terminated in September 2007, and maintenance support ended in September 2009. This would mean Johnson Bell was possibly running an unsupported product for more than six years at the time the complaint was filed.

Judge Darrah unsealed the complaint previously sealed on Shore’s motion over Johnson Bell’s objection because Johnson Bell fixed the JBoss vulnerability less than three weeks after the filing of the complaint.

The National Institute of Standards and Technology (NIST), which is sponsored by the Department of Homeland Security, reported in September 2013 “that the vulnerability [in JBoss 4.0.2] was ‘network exploitable'[;] had a ‘low’ level of access complexity[;] ‘[a]llows unauthorized disclosure of information; [a]llows unauthorized modifications; [and a]llows disruption of service.” It applied its highest scores (a 10) for impact and exploitability of the vulnerability.

The complaint alleges hackers exploit the vulnerability to install the “SamSam ransomware,” encrypting files on the access devices. The successful hacker then demands payment to decrypt the files.

The complaint alleges two additional specific vulnerabilities. First, it alleges that Johnson Bell’s virtual private network (VPN) “supports insecure renegotiation, leaving it vulnerable to man-in-the-middle attacks.” Finally, the complaint alleges that the manner in which Johnson Bell ran its email system left it subject to the same “DROWN attack,” which allegedly “allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data.”

[Source credits: American Bar Association, CIO.com, Business Insider]

In Short, You Need Krantz to Prevent Your Law Firm’s Next Security Breach

Our K-Secure White-Glove Managed Services include:

  • 24/7 Support
  • Network Monitoring
  • Proactive Maintenance
  • Patching and Upgrades
  • Vendor Management
  • IT Strategy
  • Mobile Management
  • Business Telephony
  • Backup and Disaster Recovery
  • Microsoft Office 365 Support

Plus, your firm will benefit from:

  • Access to world-class IT skills, experience, and resources;
  • The ability to focus on core competencies rather than IT;
  • Minimized capital expenditures on IT infrastructures, and reduced overall IT expenses;
  • The ability to predict current and future IT budgets;
  • Increased protection from confidential data breaches and cybercrime; and
  • A competitive advantage via advanced technologies.

Some of the top law firms in NYC have relied on us to build them the most reliable security defenses. Call (212) 286-0325 or send us an email at ITsolutions@krantzsecure.com to get started with winning strategies that mitigate law firm “ground-zero” security breaches across New York.

Call Now! (212) 286-0325

Looking for the very best in network services in New York City? Call Krantz Secure Technologies today to speak with one of our business technology specialists.