Cyber-attacks have escalated to the point where they threaten all businesses today, however, given the sensitivity and confidentiality of information at law firms they have been and will remain one of the largest targets. Whether the firm serves as custodians of clients’ intellectual property, commercially sensitive information or investigators of possible M&A transactions, the desire to hack into these deals can be and will continue to be a great risk.
I would go so far as to say that some law firms face an even greater risk than the typical mid-sized company, especially those who deal with Patents and Intellectual Property as they’re threatened not only by cyber criminals but also nation-state hackers that are after commercial secrets and patents.
Numerous studies in last few years have indicated that a law firm’s security is often relatively poor. Anecdotally, through my personal conversations with managing partners I’ve identified two likely causes for that. Firstly, they’re typically not threat informed which includes a lack of understanding regarding the potential impacts of a cyber-breach to their business and most importantly to their customers. Secondly they still perceive security as an expense while they should be viewing it as a future business opportunity.
Studies aside, let me point to a case I personally worked on. We’d been engaged by a prestigious law firm, one that was likely to have better security than most, to execute a red team exercise. In a red team exercise we mimic threat actor behavior with the purpose of obtaining the ‘crown jewels’ or disrupting the business operation. Long story short, in less than 48 hours we had full control of the network, all assets including servers and shares, and all of the users’ mail boxes. We managed to do this in three different ways or attack vectors: (1) we broke their WiFi encryption, (2) we used social engineering against the receptionist to run our malware, and (3) we used social engineering against one of the partners where he was convinced to open a malicious file sent via email.
Some of the ‘crown jewels’ in this case were all of the litigation documents related to the defense of a major car manufacturer. In a recall trial that was ongoing, that information by itself was potentially worth hundreds of millions of dollars. Mind you the effort required to get to that information wasn’t more than a few tens of thousands of dollars. With hackers for hire this was a worst-case scenario which could and does happen today.
I believe that it’s time for law firms to not only look at cyber security from an ethical perspective (ABA Model Rule 1.6(c) requires that “[a]lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” ) but also as a business opportunity, one that leads as a differentiator within the industry. Given the justified buzz around cyber security and the growing attention given to the topic by executive teams and the boards, who often serve as law firms marquee clients, firms that are able to prove they’re taking security seriously are likely to win the meaningful business.
No comments:
Post a Comment