Hackers’ Newest Target: Lawyers

footer_logoFrightening news out of corners of the security world, the ABA Journal is reporting that hackers’ newest targets include lawyers and law firms. “Cybercriminals tend to focus where the weak spots are,” says Gerhard Eschelbeck, chief technology officer at Sophos, a computer security firm, “[and] law firms are soft targets.” Eschelbeck said that, unlike the movie versions, the hackers he’s talking about are not pimply-faced nerds, or Matthew Brodderick in his parents’ house, but rather nation-states looking for valuable information.

“Law firms need to understand that they’re being targeted by the best, most advanced attackers out there,” says Shane M. McGee, general counsel and vice president of legal affairs at Mandiant Corp., a cybersecurity firm. “These attackers will use every resource at their disposal to compromise law firms because they can, if successful, steal the intellectual property and corporate secrets of not just a single company but of the hundreds or thousands of companies that the targeted law firm represents. Law firms are, in that sense, ‘one-stop shops’ for attackers.”

So what can be done?

As I reported last week in my discussions about the “Bring Your Own Device” (BYOD) movement (BYOD: 5 Steps to Protect Your Client and Save Money and 10 Tips for Developing Effective BYOD Policies), one of the biggest keys is coming up with a policy that will be enforced firm-wide, with universally applicable consequences. What other ways can you and your firm best protect yourself from hackers? The article had these suggestions:

  • Secure all mobile devices by having your IT department/consultant encrypt your sensitive data;
  • Ensure that any contracts you have with cloud-based data management or other services includes a provision ensuring that all of your data is encrypted before being stored in the cloud;
  • Do not give in to all BYOD and BYON (Bring Your Own Network – just think mobile hotspot) demands from attorneys and staff in your office;
    • The article actually suggested that only firm-owned devices and networks should be in use in a law firm. I find that to be highly unrealistic in today’s firm environment, with the exception of large firms that can afford to purchase smartphones and tablets for all attorneys and staff that require mobile access.
  • Take a hard look at USB connections. This one might seem foreign to many lawyers, but thumb drives continue to be one of the most popular means for sneaking malware, trojans, or other viruses onto computers. Remember that anytime you allow someone to plug a thumb drive into a computer that’s operating on your network, whatever is on that drive has access to the network too!
  • Stay up to date! This applies most directly to your security software, but also to things such as firmware updates for your mobile devices (which I have spoken about before).
  • Get an annual checkup, by having your IT personnel thoroughly inspect your network once a year.
  • Hire security personnel or establish a chief security officer within your firm. While I think this is only appropriate and feasible for larger firms, it is worth noting that small firms are just as vulnerable to being hacked, and should emphasize their security needs to their IT providers.

While nothing will guarantee that your firm will be safe from hackers (consider the story I detailed about Dropbox being used to hack an otherwise impenetrable cybersecurity system), following these steps will make it much more difficult for hackers to gain access to your, and your clients, confidential information.

Lawyers may be hackers’ newest target, but you have an ethical duty to your clients and your firm to make sure that your firm isn’t just another “soft target.”