When the ABA asked law firms about their cybersecurity practices, 53% responded that they had a data management and retention policy, and 36% responded they had an incident response plan. 17% of firms had no policies at all, and a whopping 8% couldn’t even speak to the firm’s security policies. It’s a sign that a culture of cybersecurity is low on the list of priorities in the legal field. When law firms are dealing with confidential information day in and day out, we’ll look at why Cybersecurity Awareness Month is a good time to start making some changes.
The Human Element
Hackers are rarely the technical geniuses that we can sometimes make them out to be. In fact, 74% of breaches in 2022 stemmed from people making poor decisions, fueled by anything from extreme exhaustion to regular carelessness. Whether that was falling for a phishing email or making their password easy to guess, threat actors win time and time again by taking advantage of human nature.
This is bad news for small law firms who may have historically steered clear of the worst hacking attempts. Lately, there’s been a rise in smaller businesses targeted, and one in four law firms have already reported some type of attack. This is likely a low number, though, as firms without robust security can be infected for months without anyone being the wiser.
Threat actors know what’s most valuable to law firms. Once they’re able to access and encrypt the data, they might first demand the firm a ransom to unencrypt it. If the law firm has a robust backup plan, the threat actors can demand ransom not to release the information to the public. For firms with no contingency plans in place, it would be easy for the threat actors to double-dip.
MGM recently provided a prime example of how the human element can impact even the most well-funded companies. Threat actors leaned on employees' willingness to help when they contacted IT staff and pretended to be the boss. The hackers needed surprisingly little information to convince the workers that the boss needed his password and MFA reset, which led to MGM giving up some of its most critical information.
Everyone Plays a Role
Cybersecurity cultures are built over time, and they typically come from the top. If leadership sets up an hour-long session once a year that gives a high-level overview of best practices, it’s a message to the rest of the staff that cybersecurity is not on their radar.
Threat actors are not just keeping up with general information about software vulnerabilities. They’re often devoting their entire day to understanding the most effective ways to target companies of all sizes. Small law firms may not have a lot of resources to pay a high ransom, but they probably have enough to lose to make them profitable victims.
For law firms to come out on top, there needs to be biweekly or monthly trainings that put an emphasis on just how far a threat actor is willing to go. There also needs to be enough security support for a firm to turn to if and when something does go wrong.
Taking Action: What Law Firms Can Do
Thanks to the never-ending devices, programs, and human response patterns, cybersecurity is a complex machine today. To really tackle even the basics, including vulnerability management, access control, network security, encryption, and information, you could easily end up hiring an IT staff that’s as large as your legal team.
This is why more firms are choosing managed service providers (MSPs) as a way of outsourcing 360° protection. An MSP is not only cost-effective, in that you’re getting an arsenal of resources without having to pay piecemeal for each component, it’s also undeniably faster. Hiring an in-house team means coordinating different departments and working with multiple hires’ demands and expectations. Once they’re in place, it can take up to a year to coordinate a better cybersecurity strategy.
With an MSP like Dataprise, legal firms work in 30, 60, and 90-day increments, meaning you can implement more airtight cybersecurity policies in as little as a month. Dataprise is not only staffed with experts, we have experience managing law firms of all sizes. We're built to scale alongside our clients, introducing new programs as they hire new lawyers or obtain more high-profile clients. From compliance to disaster recovery, our staff gives law firms the peace of mind they need even if they are targeted by a relentless threat actor.