11:48, June 29 66 0 law.com

2017-06-29 11:48:04
DLA Piper Isn’t Alone—40 Percent of Law Firms Unaware of Breaches

Computer Hacker.

Shutterstock

A survey of 200 U.S. firms found that many law firms are unprepared for cyberattacks, and it’s hurting their standing with clients.

The DLA Piper attack has legal professionals paying attention, but cyberattacks on law firms are far from unique.

According to a recent report from IT security provider LogicForce, hacking attempts were made on over 200 U.S. law firms between 2016 and 2017, 40 percent of which didn’t even know that they had been breached.

Titled “The Law Firm Cybersecurity Scorecard,” the report is the first of a quarterly effort by LogicForce intended to educate both law firms and the corporate legal departments that would hire them of the security issues impacting their industry. John Sweeny, president of LogicForce, said the results present “plenty of opportunities for corporate legal and law firms to get on the same page” with cybersecurity, and that there are “a lot of opportunities for law firms to tighten up their controls and get onboard with what their corporate clients are requesting.”

“We’re finding some areas to be consistent across a wide variety of firms, both big law and small law, that it doesn’t take a lot to improve,” Sweeny said. “We want to educate the industry on, ‘Hey, you don’t have to be spending millions upon of millions of dollars to tighten up controls that your corporate clients want to see in order to secure your processes and keep up with your obligations to protect.”

Indeed, many of the security issues found at the law firms surveyed were consistent. Despite the frequency with which breaches are linked to third parties (63 percent), the majority of law firms (80 percent) don’t vet them. Similarly ubiquitous is law firms’ lack of compliance with their own cybersecurity standards—95 percent of firms weren’t compliant with their own data governance policies; further, all of those firms also weren’t compliant with their clients’ policy standards.

The report also found that the types of threats facing law firms didn’t vary much, though they occurred relatively often. Across the law firms surveyed, LogicForce found that there were about 10,000 network intrusion attempts daily, while there were about 1,000 invalid login attempts on a daily basis. Additionally, 59 percent of all emails were classified as phishing/spam emails, though these included what the report called “benign marketing annoyances” as well as emails that were “more malicious and costly.”

Phishing has been a significant cyberthreat for years, playing a significant role in spreading the WannaCry attacks that impacted organizations across the world in May. Discussing those attacks, Rob Silvers, a partner in Paul Hastings’ cybersecurity practice, told LTN that phishing “is very common, and other ransomware strains rely on that same attack vector. So it’s really important that companies double down on their counter-phishing training for their employees.”

And while he doesn’t “like to blame the victims,” Silvers added, “There are measures that companies simply have to take to protect themselves and their shareholders and their business partners.”

Employee training is a commonly cited prevention measure for organizations, cited among the “10 Basic Cybersecurity Measures” for reducing cybersecurity attacks distributed as a joint effort between the U.S. Department of Homeland Security and the FBI. Speaking about the WannaCry attacks, Ed McAndrew, a cybercrimes prosecutor and data security lawyer at Ballard Spahr, told LTN, “What it shows is you don’t need to have the biggest security budget in the world. You need to employ basic cyber hygiene at the very least.”

Timothy Murphy, president of Thomson Reuters Special Services, explained on a June panel about law firm cybersecurity that firms can begin mitigating risks immediately at a moderate cost with high impact. Among his suggestions were figuring out what data needs to be protected, tightening security controls, patching operating systems and applications, and implementing two-factor authentication and encryption.

“This is the most significant threat this country, businesses and law firms face,” Murphy added.