These are integral parts of modern working life for many; but they also represent major clues in identifying the weakest link in many law firms’ cybersecurity defense strategies. Hacking, cyberattacks and other external threats are on the rise, but one often overlooked source of data breaches at a law firm can also be its greatest asset: its lawyers.
Lawyers transmit large volumes of sensitive information every day – often including protected health information, M&A data and closely-guarded trade information. Yet many of them lack training on privacy and data security, making them liable to commit any number of seemingly minor errors that have grave cybersecurity consequences.
The growth of smartphones, tablets and cloud- or remote-based work policies have greatly increased the range of error for lawyers. Through Bring Your Own Device (BYOD) policies, many lawyers can freely access proprietary client files on their personal laptops and mobile phones. This opens up the possibility of data theft should such devices get lost, stolen or incorrectly disposed of when replaced.
For example, a family law practitioner in New Hampshire had client names, personally identifiable information (PII) like SSNs and account numbers synced to his laptop, unprotected by any encryption software. When the laptop was stolen from his home, it left these details open to the laptop’s new owner.
Phishing schemes, in which email recipients are tricked into clicking a link that installs malware behind a firewall, have become increasingly complex and sophisticated – so that even relatively tech-savvy attorneys can be vulnerable to these scams.
In 2015, a San Diego attorney clicked on an attachment in an email purporting to be from the U.S. Postal Service, sent from a usps.gov email address. Days later, he discovered a transfer for $289,000 had been made to a Chinese bank, due to a keystroke-capturing virus that had been installed on his computer.
In a separate incident, a large law firm fell victim when a fraudulent email, purporting to be from a firm executive, resulted in firm W-2s being sent to phishers, leaking full names and social security numbers for employees.
With constant travel and remote work becoming increasingly common, paired with the ever-looming long hours, cloud-based work offers many advantages for attorneys. A LexisNexis survey found that 52 percent of lawyers use file sharing services like DropBox and Box to transmit and share client-privileged information. These services, while powerful, are often geared toward consumer file-sharing and lack the security protections needed to meet confidentiality requirements. Furthermore, it is often far too easy to accidentally share entire folders, or multiple folders, when attempting to share a single file—thus risking the possibility of open access to critical information with a single click.
These are just three of many ways that attorneys can compromise the security of their organizations. For years, lawyers have pulled the wool over their eyes, telling themselves that security is for IT, healthcare and financial organizations—not for them.
Attorneys may falsely assume that none of their data is desirable to hackers. But even small firms pass along enormous amounts of confidential data, from financial records to Social Security Numbers to divorce negotiations. And even common slips of mind, like sending an email to the wrong user or posting a casual Facebook status, can be deadly exposure points that open the company’s network to a bad actor.
The American Bar Association found that in 2015, about 1 in 4 U.S. law firms with 100 or more lawyers had experienced a data breach through hacker or website attacks, break-ins or lost or stolen computers or phones. And the overall proportion of firms that have experienced data breaches is on the rise, having increased 5 percent since 2012.
Like any other organization maintaining vast amounts of sensitive and confidential data, it is crucial for law firms to continually educate their employees on cybersecurity risks and data privacy best practices. A firm may have a cybersecurity software solution in place, but cybersecurity must extend beyond the IT department. It’s critical that security be the responsibility of every employee – lawyers included.
Download an eBook detailing best practices for maintaining a strong cybersecurity defense at your law firm, and subscribe to our newsletter for the latest content on how to safeguard your organization from within.