Close this search box.

The 5 Most Common Network Security Threats Uncovered in Law Firms

Two employees working together on a plan in a meeting.

Corsica Technologies has the immense privilege and responsibility of working closely with federally regulated industries as a third party auditor and Managed Security Services Provider (MSSP).

The legal industry shares many characteristics with federally audited industries like medical and financial, not the least of which are:

  • Valuable data: lost legal records cost firms an average $221 per record 1Data from legal files can be sold on the black market for $1 to thousands, depending on the nature of the information.
  • Heavily targeted by attackers: 24% of law firms surveyed for the 2017 Ransomware Report  reported attacks between Q2 2016 and Q2 2017.

Through our independent security assessments of law firms, our engineers have identified a number of cyber security threats common to the legal industry—especially small to mid-sized firms.

Interestingly, only 1 of these 5 threats comes from outside  a firm’s walls.

1. Password Apathy

One of the most common mistakes law firms make is to assume individual staff members are changing admin passwords to their own quality passwords (and refraining from keeping them in a conspicuous location, like a sticky note on their desk)  

Without guidelines on password complexity, password expiration, or account lockouts, your accounts are vulnerable to brute force attacks that can result in access to confidential client or case information (including PII and PHI), account numbers, and more.

2. Mishandled Electronic Files

Do you ever see an electronic case file on your partner’s personal laptop?

The legal profession is unique in the amount of data processing and  mobility required of its workers; it’s easy to blur the boundaries of data access and storage during late night work sessions from the home office.

Even so, data must be structured in a way to ensure that it can only be seen by the eyes allowed to see it. The principle of least privilege and network / hard drive encryption are vital steps in securing data.

In addition, all data your firm owns should be within the reach of protective backups and security monitoring measures.

In a study of more than 200 law firms1, it was found that only 27% had implemented Data Loss Prevention (DLP), which is technology that scans any electronic record that is downloaded or sent from your firm for sensitive data, like PII, PHI, and SSNs, blocking the transmission of sensitive data.

3. Undiscovered Privacy Infractions

In the same study mentioned above, it was found that 66% of firms had already experienced a breach.

We have seen a similar frequency in unauthorized data access that had gone unnoticed until we performed an assessment.

In our experience, data privacy violations most commonly result from insider error; however, we see plenty of past malware infections. These attacks will only increase in the years to come.

Law firms should be particularly wary of high-volume phishing attacks, which don’t discriminate by firm size or industry but rather count on the sheer volume of attempts to achieve success with someone, somewhere.

4. Limited Awareness of Today’s Cyber Threats

Speaking of phishing, this favorite method of hackers is often underestimated by legal teams that overly trust their spam filters and firewalls. While some automated attacks (using familiar threats) may be blocked, hackers are highly motivated by the high going price of private information to circumvent these measures.

Spear-phishing, for example, is becoming an effective tactic of hackers looking to circumvent employees’ suspicions while also  getting them to comply with an urgent request. In these attacks, the hacker researches your corporate structure and vendors and sends an urgent email “from” an executive in your company requesting a money transfer, “forgotten” account numbers, employee PII, etc.

Twice annual security awareness training is economical and practical (often able to be done completely online).  Empower every member of your team to defend against the attempted exploitation and extortion of your firm.

5. No Documented, Enforceable Cyber Security Policies

Most law firms don’t document cyber security policies because they trust their team to use common sense. Today’s hackers, however, circumvent our common sense by appealing to deeper tendencies to listen to urgent, authoritative requests for help.

How can you keep employees for falling for increasingly clever spoofs and scams? Documented, enforceable policies help your employees resist, for example, a text from your cell number urgently requesting they help you out by making a wire transfer while your hands are tied “in a meeting with a client.”

Due diligence in response to these threats looks like an enforced  policy that states clear guidelines for evaluating any requests to click, download, enter credentials, or account information .

Good policy, coupled with security awareness training, helps overcome your employees’ vulnerability to threats that prey on their good nature.

Does Your Law Firm Need a Fresh Commitment to Data Security?

Not only is a solid cyber security policy a way to protect your clients, solicitation of security policy documentation is going to become more frequent as compliance regulations heat up.

Our audits and assessments are extremely thorough, fully documented, and often uncover problems even seasoned IT staff overlook.

If you have questions about your current cyber security posture, are preparing for an audit, or are simply looking for independent verification, email us!

Sources:  2016 Cost of Data Breach Study” Global Analysis. Ponemon Institute Research Report. Print. Law Firm Cyber Security Scorecard Q1 2017. LOGICFORCE. www.logicforce.com. October 2017.

Corsica Technologies
Corsica provides personalized service and a virtual CIO (vCIO) who serves as a strategic advisor. When it comes to the complex integration of solutions for IT and cybersecurity, the whole is greater than the sum of its parts. We offer cybersecurity solutions, managed services, digital transformation, resale services, and one-off technology projects. Corsica unifies any combination of these services into a complete, seamless solution.

Related Reads

Unlimited IT Support Services - Corsica Technologies

The End Of Metered Billing In Technology Services

Let’s be honest. When it comes to technology services, something is broken. Customers aren’t getting the consistency, responsiveness, and cost transparency they deserve. Meanwhile, MSPs (managed IT service providers) promise the moon with “all-in” pricing, yet they still allow tons

Read more
CPCSC - Canadian Program for Cyber Security Certification - Corsica Technologies

CPCSC For Canadian Defense Contractors: What We Know Today

With cybersecurity threats evolving rapidly, governments are taking steps to protect sensitive but unclassified information that they must share with their suppliers. This is a critical undertaking, as hackers can use sensitive information to inform their strategies—plus they can execute

Read more
EDI Software - 5 steps to choosing the right solution - Corsica Technologies

5 Steps To Choosing The Right EDI Software

How do you understand EDI and choose the right solution for your business? Whether you’re just starting with EDI or replacing an outdated solution, it’s crucial to get this right. Picking the wrong EDI software for your situation can saddle

Read more

Sign Up For Our Newsletter

Stay up-to-date on the Managed Services and Cybersecurity landscape, and be the first to find out about events and special offers.