Cyberattacks and data breaches are rising, and your law firm could be next.
After all, your computers contain a wealth of valuable data about your team and multiple clients, all in one place. Financial accounts, Social Security numbers, payment card credentials — that’s just a fraction of the sensitive information that could be exposed if your network’s security can be cracked.
The attackers also like to target law firms because, traditionally, their cybersecurity isn’t as strong as what’s found at other businesses.
Fortunately, it’s possible to radically reduce your risk profile with expert help. Taking a few crucial steps can provide greater security to your team and your clients while safeguarding your firm’s reputation.
How common are cyberattacks and data breaches at law firms?
As part of its 2022 Legal Technology Survey Report, the ABA surveyed law firms to see how many had ever experienced a security breach. About 27% of respondents said they had, an increase of 2 percentage points.
But a security breach can include anything from a lost computer to a full-fledged cyberattack. It doesn’t mean a bad actor necessarily accessed sensitive information. How common are data breaches where criminals access sensitive information?
At least 100 firms reported data breaches to state authorities in 2022, according to a Law360 Pulse survey of public records. That’s up from 88 cases in 2021 and 46 cases in 2020. Unfortunately, the number is an incomplete picture — Law360 was able to get data for only 17 states. The real figure could be much larger.
According to Law360, breaches were more likely to be reported by smaller firms:
- Small firms (50 or fewer attorneys) reported 78 data breaches
- Midsize firms (51-200 attorneys) recorded 24 breaches
- Large firms (200+ attorneys) had 8 breaches
What are the potential costs of a data breach?
In 2022, the average data breach cost was $4.35 million across all industries, IBM reported. The cost was higher when looking at US cases only — $9.44 million.
How can law firms lower their risk for cyberattacks?
Dan Nelson, a retired attorney and Digital Silence’s COO, recommends the following steps:
Establish a rule against reusing passwords: Too many people use the same passwords across multiple sites. So if a bad actor steals user credentials from one site, it increases the odds they can break into other places, such as bank accounts, retirement accounts, and work email. This attack vector is called “credential stuffing,” and it’s one of the most common ways threat actors attack.
Require Multifactor Authentication (MFA) everywhere it’s offered: With MFA, it takes more than a username and password to access an account. Instead, users must provide another piece of information — like a one-time password sent by SMS or email — or confirm their access via an app on their smartphones. Some MFA processes even require fingerprints or voice recognition. MFA isn’t unbeatable but presents a more challenging defense for bad actors.
Consider upgrading your software licenses: Many apps like Office 365 have multiple service tiers, and it can be tempting to save money by selecting the lowest price. But those entry-level tiers often lack much in the way of security features. By spending a little more each month, you could enable and increase storage for tools like audit logging, which will better enable digital forensics experts to see how cyberattacks occurred and fix the problems.
Invest in training and education: Some of the most devastating cyberattacks target people, not technology. Through phishing and other techniques, your team could unwittingly help bad actors compromise your systems. That’s why educating firm employees on the most common attacks and how to defend against them is so important. Most firms already provide basic training on other topics. Security should be part of that curriculum, too.
Perform a risk assessment of your systems: Hire experts to systematically study your network, so they can create an actionable, sequenced, and coherent plan for improving cybersecurity. Because there are so many ways for bad actors to infiltrate your network, you’ll need help identifying the most common attack vectors and devising the best defenses. Trying to do it yourself could leave you exposed.
Once you adopt the recommendations from a risk assessment, you may be ready to graduate to more powerful forms of testing and defense. Digital Silence, for example, can deliver an even wider range of advisory services, including penetration and red team testing, digital forensics, and much more. Contact us today to learn how we can help you.