Although the legal sector is relentlessly plagued by cyber attacks, law firms themselves are not necessarily the intended target. Cyber attackers have their sights on much bigger fish.
Compromising a FTSE 100 company is no easy task, but breaching the law firm that represents that company can be comparatively straightforward. With attorneys’ reputations built on trust, confidentiality and security, the legal sector must take proactive steps to protect itself, or risk losing business. Compromise of client secrets equates to loss of trust and loss of reputation for the firm, which inevitably leads to loss of business.
Once a cyber criminal has access to your systems and information, they can socially engineer their way to the actual target – your high profile client. This is usually through a hijacked inbox or spoofed email address, so the client believes they’re receiving a genuine communication from their legal representative.
Law firms have a tendency to make researching an attack easy for adversaries. They aren’t shy of openly celebrating their success on their website newsfeeds – every site we checked had articles and press releases about the latest big businesses to enlist the firm’s services, and most casually mentioned how much money was changing hands. One firm’s news page even went so far as to note the month in which an acquisition deal would be closed, giving threat actors a clear timeline to tailor their attack to. A spoofed email requesting these funds to be transferred to alternative account details, received at precisely the time the business is expecting it and appearing to be from their legal representatives, is far more likely to succeed than an opportunistic phishing attempt.
The state-sponsored threat
Large enterprises are targeted on a daily basis by state-sponsored attackers, looking to gain a competitive advantage by stealing trade secrets. Intellectual property (IP) is a lucratively tempting target, sought after by a very specific, well-funded and highly-skilled small group of people (usually nation-state actors) who will pay handsomely to get their hands on it. State-sponsored attacks are commonplace to gain this advantage.
But big businesses aren’t the only ones at risk – representing high net worth clients leaves law firms vulnerable to state-sponsored attacks too. These individuals are an enticing target for cyber criminals as not only are they wealthy, but they are also more likely to enlist the services of a law firm to protect their confidential personal affairs. It’s not just money and personal data in danger here, but the client’s reputation is also at stake – the press loves a scandal, and secrets of the rich and famous are particularly profitable. A scandal in the news following a breach of your systems could easily cause irreparable damage to your law firm’s reputation too.
Although you may not be the target, your law firm is responsible for safeguarding the information entrusted to you by your clients, including transferring and storing it safely. If a data breach does occur, your firm needs to be able to prove compliance with strict data protection regulations, by confidently and accurately reporting exactly what information was accessed, who accessed it, and whether the data was exfiltrated from your systems.