By Nate Lord
Without breach notification requirements in place, it can be hard to gauge the popularity of law firms as targets for cyber criminals. But if recent findings are any indication, the legal industry may well be the next lowest hanging fruit for attackers.
Last week, the New York Times DealBook published a story about Citigroup’s recent finding that major U.S. law firms are frequently experiencing data breaches yet rarely disclose these events publicly. This finding came to light in a report from Citigroup warning banks that law firms may be a top target for cyber criminals. As Citigroup notes, it makes sense that law firms would be attractive targets given that they regularly access and store sensitive client data as part of their day-to-day operations.
For banks specifically, that data could include confidential information concerning mergers and acquisitions, investments, business strategies, and other intellectual property. To exacerbate the issue, the report also found that data security measures employed by big law firms often lag behind those of other industries that are also commonly targeted in cyber attacks – say, for example, retail, healthcare, or manufacturing.
However, because so many law firms fail to disclose these incidents publicly, Citigroup concluded that it is “not possible to determine whether cyberattacks against law firms are on the rise.” While it may not be possible to quantify the exact amount of cyber attacks and data breaches impacting law firms, there is certainly plenty of recent evidence that would indicate that these incidents are indeed on the rise.
For one, Cisco’s 2015 Annual Security Report named law firms as the 7th highest target for cyber criminals last year, ranking behind only the pharmaceutical/chemical, media/publishing, manufacturing, transportation/shipping, aviation, and food/beverage industries. 2015 was the first year that the legal industry made the top ten most targeted verticals in Cisco’s report, indicating a nearly 50% year-over-year increase in the likelihood that law firms would be encounter malware attacks.
Citi and Cisco aren’t the only companies to call out law firms as increasingly popular targets for cyber criminals, however. In 2012, Mandiant estimated that over 80 of the top 100 (by revenue) U.S.-based law firms had been hacked in the previous year – a staggering number, but less of a surprise when you take into account both the type of confidential client data those firms have access to as well as the companies that comprise their clients.
U.S. law enforcement agencies – particularly the FBI – have also placed heavy emphasis on advising law firms as to the threat of cyber attacks as well as urging top firms to improve information sharing and disclosure when incidents do occur. Both threat intelligence sharing and data breach disclosure have bubbled up as top-priority issues for U.S. lawmakers this year, with President Obama proposing new federal laws requiring data breach notification in his State of the Union Address this past January and two new bills for cyber intelligence sharing – the Protecting Cyber Networks Act and the Cyber Information Sharing Act – being announced last week. Unfortunately, while these bills represent a new focus on cyber security at the federal level, both were met with criticism by privacy advocates and security experts.
So will law firms be the next top target for cyber attackers? If recent news are any indication, the answer is an obvious “yes.” However, without effective laws for breach notification and cyber information sharing, it may remain difficult to truly gauge the threats facing law firms for some time to come. While they may not be suffering the public embarrassment that accompanies the disclosures required of HIPAA or PCI-DSS regulated industries, law firms will undoubtedly start losing clients as the unregulated “business grapevine” starts spreading the word about sensitive data lost as a result of lax data protection practices. The onus for protecting sensitive client data lies on law firms themselves and they must start to take action to do just that.
Comments
<input id="recaptcha_response_field" name="recaptcha_response_field" type="text" /> | Privacy & Terms |
5 Steps to Secure Sensitive Data at the Law Firm
Don’t lose clients because you can’t protect their data. Five steps any law firm can take to prevent sensitive client data from getting out.
RELATED ARTICLES
Law Firm Data Security: Experts on How to Protect Legal Clients' Confidential DataFor companies that provide services to clients, data security is always an important part of business.
Data Security Experts Reveal the Biggest Mistakes Companies Make with Data & Information SecurityMost successful companies of today, whether enterprises, mid-market, or small small businesses, are either based onl
FTC Issues Security Guidelines for Internet of Things TechnologyNew Report from the Federal Trade Commission Presents Key Findings from 2013 IoT Workshop
© DIGITAL GUARDIAN
BY VERDASYS 2015
PRODUCTS
DIGITAL GUARDIAN PLATFORM
- Data Visibility and Control
- Data Loss Prevention
- Advanced Threat Protection
- Management Console
- Add-on Modules
DIGITAL GUARDIAN AGENTS
DEPLOYMENT
SOLUTIONS
BY USE CASE
- Application Control
- Compliance
- Data Classification
- Device Control & Encryption
- Email Control & Encryption
- Malware Protection
- Trusted Network Awareness
- Privileged User Control
- Web Apps & Cloud Storage Control
BY INDUSTRY
SERVICES
PROFESSIONAL SERVICES
- Outsider Threat Protection Implementation
- Insider Threat Protection Implementation
- Managed Security Program
TRAINING
- Boot Camp
- Introduction to Reporting
- Advanced Reporting
- Advanced Rule Writing
- Supporting Digital Guardian
- Schedule & Registration
SUPPORT
FORUM
WHY DIGITAL GUARDIAN
We are the only company that protects data from both insider and outsider threats using one agent.
Why Digital Guardian
Please post your comments here