Skip to main content

Law firms are a hacker's "treasure trove"

Large law firms have been identified as a prime target for hackers and organised criminal gangs (OCGs) as their databases are seen as repositories of company secrets, business strategies and intellectual property.

According to Harvey Rishikof, co-chairman of the American Bar Association cybersecurity Legal Task Force: "Law firms are very attractive targets. They have information from clients on deal negotiations which adversaries have a keen interest in. They're a treasure trove that is extremely attractive to criminals, foreign governments, adversaries and intelligence entities."

While cyber breaches of major corporations such as Sony and JP Morgan are grabbing the headlines, many OGCs are now directing their attentions towards corporate advisors, particularly large legal practices with important clients. At least 80 per cent of the leading US law firms have already seen their security compromised via a cyber breach.

Even this may be an underestimate as almost all the leading international law firms are likely to have experienced a cyber breach - whether they realise it or not.

They are several key reasons why OCGs target legal firms. One is that they frequently see them as a point of entry in to one of their major clients' databases. Companies in highly targeted sectors such as defence and finance are now finally starting to address the pressing issue of cyber security and are now introducing new protocols aimed at safeguarding confidential data.

Hackers break in via third parties

But the hackers have developed ways of breaking into databases via third parties. The highly reported cyber breach last year at giant US retailer Target was achieved through such a third party - in this case, a heating, ventilation and air-conditioning (HVAC) contractor.

Many legal firms are now being seen as a way-in to the confidential data held by their more important clients.

However, the large legal practices also have highly valuable confidential data of their own. In addition to their in-house financial systems, legal firms hold large amounts of data on their clients. This can sometimes be used by the OCGs for purpose of blackmail.

Alternatively, this kind of detailed information can also be used by hackers to formulate a socially engineered attack where the client's staff are convinced by the level of confidential data that a bogus message or approach may be genuine.

But the biggest long-term danger may come from the gradual erosion of legal advisers' credibility. Client confidentiality is crucial for law firms advising corporate clients on sensitive negotiations such as mergers and acquisitions or an initial public offering (IPO) of their shares. Legal advisers with insecure IT systems are in danger of losing credibility in the eyes of major corporate clients if hackers are able to steal and sell information on sensitive negotiations or confidential business strategies. Some OCGs simply insider trade on the stolen information.

Andrew Cheung, General Counsel at international law firm Dentons, believes this is and has been the real driver behind the rush of law firms to secure their systems and data.

He says: "Client demands for sophisticated information security and the firm's own reputational protection are the primary drivers behind Dentons' focus on and investment in information security systems and processes”.

He adds: “There are also very real civil liability concerns stemming from cyber breaches, though we are yet to see a firm hit with a major claim in this area. Regulatory concerns are also ever present but in many respects regulation and regulators are struggling to catch-up with the rapidly evolving threats to cyber security. Firms cannot afford to wait for regulatory guidance or requirements to force change in this area".

But even those law firms who have tight security protocols need to be increasingly vigilant as OCGs are becoming highly inventive when it comes to breaking into legal databases. This is especially true of those law firms which are using social media and online communications to publicise their services.

The latest chink in law firms' cyber defences to be exploited by hackers relates to the growing practice of lawyers managing their own online blogs through potentially insecure content management systems (CMS) such as WordPress.

The reason for the firms' enthusiastic adoption of CMS is that it is easy to set up and manage and has been identified as reasonably secure. They are widely deployed throughout most large legal firms, which increasingly use third-party plug-ins to add extra features.

Law firms using CMS in this way need to ensure that the entire process is monitored by their IT department as plug-ins are not only sometimes inherently insecure, but they can also make updating to the latest - and therefore most secure - version of CMSs such as WordPress extremely difficult.

Firms should, therefore, monitor which CMSs, such as Drupal, WordPress and Joomla, are being used by their lawyers to disseminate blogs. The use of plug-ins must be limited to ensure that the latest version of each CMS in use can be immediately deployed; this is essential as it is only the latest version which will comprise up-to-date cyber security.

Legal firms who do not take the time to secure their IT systems and advise their clients to do the same will increasingly find themselves losing high-profile contracts to more cyber aware rivals as corporates begin to grasp the level of threat posed by OGCs targeting their most confidential client data.

Stuart Poole-Robb is the chief executive of the security, business intelligence and cyber security adviser at the KCS Group Europe (opens in new tab).