Law Firms are Under Attack

In 2016, the FBI’s Cyber Division issued a Private Industry Notification alerting law firms that cybercriminals were specifically targeting them. This alert was not “news” — cybercriminals have been targeting law firms for years. According to the ABA Cybersecurity Legal Task Force, a “recent [2017] study of cybersecurity practices at 200+ law firms found that each one had been targeted for confidential data, and over 40% did not even know they had been breached.” This study also found that the size of the firm had no bearing on the likelihood of the attack.

Why are Law Firms are Especially Vulnerable?

Small to mid-sized law firms are typically not early adopters of technology, and hackers are tuned into that as well as the fact that even large law firms often times do not have a multi-layer security program in place. According to an ALM Legal Intelligence Study, 22% of law firms do not have any organized plan to prepare for or respond to a data breach. Plaintiff class-action law firms are aware of these conditions and are targeting law firms for lax data security. In one such suit, a 100-lawyer firm was sued for failure to take reasonable steps to maintain data security, despite that the firm had marketed itself in written and website materials as having appropriate cybersecurity.


Percent of law firms who do not have any organized plan to prepare for or respond to a data breach

Meet Ethical Requirements and Applicable Standards of Care

Ex post facto analyses of some significant data breaches of law firms show that multi-layered security would likely have thwarted these attacks:

  • One such attack involved a large DC-based law firm where the hackers used multiple attack vectors to infiltrate the law firm’s network and then steal sensitive data by acting as network administrators. They then collected critical data and exfiltrated it over the course of months. Thousands of pages of emails and other information, including confidential communications with clients, were stolen. This attack was successful despite that the law firm had significant elements of a security architecture in place, and made use of encryption technology.
  • In another attack, Toronto law firms were victims of targeted attacks from China, resulting in the foreign hackers stealing significant sums of money from the firms’ trust accounts. Once again, the firms had what they thought were the essential elements of a security program in place.

In both these examples, a multi-layered security approach would have prevented these damages. For example, assume that the initial infiltration by the hackers could not have been prevented. Despite that, a properly-managed continuous monitoring of traffic into and out of the firms’ networks, as well internal and lateral threat detection inside of the networks, would have alerted the firms to the existence of the infiltration soon enough after it occurred to have thwarted serious damages from being sustained.

Watch the Cybersecurity Webinar on Demand

View the Cybersecurity Checklist

Are Your Employee’s Credentials For Sale on The Dark Web?

What is a Multi-Layered Security Program?

The initial step in adopting a multi-layered approach to data security is to review, analyze and assess the firm’s existing security posture. Having a qualified third party perform security assessments — on a regular periodic basis — is not only best practice but also required in many regulatory compliance verticals.  Assessments produce a prioritized list of vulnerabilities to be addressed in order to improve a firm’s security posture.

SECNAP’s security analysts regularly complete assessments of our clients (including law firms), by performing:

  • External Penetration Testing
  • Internal Vulnerability Assessments
  • Regulatory Compliance Assessments
  • Web Application Security Assessments
  • IT Risk Assessments and Gap Analyses