14th Securing The Law Firm
Online, 28th January 2021
Securing next-gen legal technology:
How can law firms keep up with constant attacks, deal with privacy issues, AND develop and secure their VLAs, lawbots and RPA?
When law firms make the cybersecurity headlines it’s generally a high-profile third-party issue, like the 193 firms recently impacted by the Laserform Hub breach, or ‘glamorous’ attacks like the ransomware attack on Grubman Shire Meiselas & Sacks, who represent Lady Gaga, Bruce Springsteen and President Trump, among others, and from whom hackers demanded $42 million in exchange for 756GB of stolen data.
But the truth is usually more mundane. Law firms are high-value targets in their own right and as third-parties to the world’s largest and richest organisations. A recent report on the sector concluded that they faced ‘millions of threats’ in a constant bombardment of persistent and sophisticated attacks. The Dark Web is replete with pleas for access to law firms and with offers of information allegedly stolen from them.
So law firms, like other targets, need to ensure they have robust defences against ransomware, BEC and other spearphishing campaigns, DDoS attacks and the other threat types that pose the greatest risks to all high-value targets. Worryingly, according to a comprehensive recent survey of the sector, many firms still do not have sufficient protection against email spoofing; many are running services with well known vulnerabilities and using web software which is out of date and no longer supported by its developer; many have one or more expired certificates and are running various domain registration risks.
Law firms too, like most other organisations, are being forced into accelerated Cloud deployments, creating issues in everything from AWS to which Microsoft 365 licence to buy and whether to go for a one-stop shop or to layer specific security tools onto the general features of the monopoly platforms.
And the increased pace of transition means increased risk of exposure. Cloud assets were involved in 24% of breaches this year, with applications a key issue. 40+% of those breaches came from web apps, rapidly overtaking desktop as the top source of breach.
More surprisingly, according to a freedom of information request made to the Information Commissioner’s Office (ICO), nearly half (48%) of the top 150 law firms have reported data breaches since the GDPR came into force in May 2018. And, of those breaches, 41% were a result of emailing the wrong person.
This kind of human error is one problem CISOs may not be responsible for, but GDPR is causing law firms many headaches because their business revolves around sharing sensitive date. Leading law firms are asking the Information Commissioner needs to provide specific guidance to law firms on how they can lawfully share personal data. It’s a serious problem.
Securing the Law Firm 2021 will take place online and will look at how cybersecurity teams, risk management functions and boards are tackling the key issues. As digitalisation goes critical, is this finally the moment at which traditional cybersecurity management has to change?