Which service providers first come to your mind when you imagine very sensitive information being handled? Lawyers must surely come at the top of your list, along with bankers, accountants, and doctors. We entrust these people with the key information that our lives and businesses depend on. And with that in mind, it’s fair to ask what measures lawyers have in place to keep this information safe.
When it comes to tech, law firms need multiple security protocols and standards put in place along with every new application or piece of software they use. This shouldn’t be a formality, but contain strictly defined rules that are respected by all stakeholders.
The International Legal Technology Association – which brings together tech-focused legal professionals from throughout the world – published in June a paper on IT and cybersecurity in the legal industry.
The paper concludes that formally implementing security standards doesn’t necessarily guarantee the safety of an organisation. The reason for this is quite simple: cybercriminals don’t care if a firm complies with standards or has obtained relevant certificates. If the firm’s infrastructure is vulnerable, they will find ways to penetrate it.
In this article, we will analyze aspects of the research and look at a recent example of a security breach that went terribly wrong for the firm involved.
Staff are likely to compromise security – but they aren’t the real problem
The behavior and practices of lawyers and other staff are the main security risk for any organization, IT and security specialists noted in the paper. But researchers argue that instead of blaming their colleagues for compromising security, IT departments should be focusing on the real enemy: cybercriminals. In other words, IT people are puzzled as to why lawyers fall for scams like phishing emails, while ILTA argues that phishing emails shouldn’t have been received in the first place.
Lawyers and security staff have different expectations around cybersecurity
Security specialists in law firms seem to be committing a fundamental attribution error also known as correspondence bias, by minimising how much situational factors affect the way that lawyers deal with cybersecurity protocol. Working with both IT experts and lawyers, we’ve seen a clear gap between the two groups when it comes to the perception and usage of technology. IT experts expect lawyers to be IT literate and to have mastered the basic concepts of cybersecurity. Lawyers, however, already feel that doing legal work is demanding enough, and seek to spend the least possible amount of time and energy on IT.
There needs to be a compromise
Lawyers and IT specialists need to come together to effectively address cybersecurity risks. Being able to recognize a phishing email or a corrupt website that could install malware on a computer is now a matter of basic literacy in today’s world. These are ultimately professional skills for lawyers to master, and will help reduce all kinds of damage to company equipment – and even in the lawyers’ personal lives. But we also agree with the ILTA research. IT departments need to ensure that they put maximum security measures in place to minimize any potential damage in a company. Unfortunately, many firms don’t have these basic measures in place. ILTA’s research finds that 90% of surveyed firms don’t block or restrict external file hosting sites, 72% don’t automatically enforce email encryption through content examination, and 79% allow passwords to be fewer than 16 characters.
What drives firms to play it safe?
Law firms are mainly motivated by client requirements to put safety measures in place, according to the ILTA paper. Large companies expect their lawyers to act in accordance with particular security standards. But is this enough?
Unsurprisingly, this is quite clearly not enough for two main reasons:
With many firms seeing compliance with client security standards as a formality, very little is done to integrate these security protocols into the workings of the firm. Compliance is usually agreed upon at the beginning of the client-lawyer relationship, and from this point on, many law firms consider most of the job to be done security-wise. Almost one-third of firms surveyed in the paper were unaware of the content of the security standards agreed on with their clients, for instance. This leaves firms vulnerable to attack because they can’t possibly be implementing robust cybersecurity protocols at every level of their organizations.
Secondly, client pressure on law firms to respect particular security standards is the main driver for firms to make their IT infrastructure and processes secure. This means that the standards imposed are corporate standards – which are generally one-size-fits-all and not necessarily applicable to law firms. Each firm should be operating as an independent entity, with security protocols in place to address its own specific security gaps or weaknesses.
What could actually go wrong?
There are multiple examples of damaging security breaches across various industries. 75% of law firms visited in a 2020 survey undertaken by the UK’s Solicitors Regulation Authority reported having fallen victim to a cyber attack. And 23 of the firms that were directly targeted saw over GBP 4 million in client money stolen, the survey reported. Meanwhile, the average cost of a data breach for firms as a whole reached USD 4.24 million in 2021, according to IBM’s annual Cost of a Data Breach Report, cited by the American Bar Association.
One recent example of a law firm that’s seen immense fallout from poor security practices is leading Australian law firm HWL Ebsworth, which employs over 850 lawyers and 400 support staff. Though large firms generally have stricter security protocols in place than their smaller counterparts, according to the ILTA paper, this didn’t prevent HWL Ebsworth from being targeted.
In late April, HWL Ebsworth reportedly saw some 1.45 terabytes of data stolen by the infamous BlackCat cybercriminal group. BlackCat’s modus operandi is to place malware on its victims’ systems through infected emails or websites, copy valuable data, encrypt the data on the victims’ systems, and then extort money, under threat of publishing sensitive information.
BlackCat stole millions of HWL Ebsworth’s sensitive documents and threatened to make them all public unless HWL Ebsworth paid up. The firm stated it won’t pay anything, as this would contravene its ethics and business principles. Furthermore, the firm took damage control measures that seem almost ridiculous, securing an injunction from the Supreme Court of New South Wales. This legal action was undertaken in an effort to prevent hackers from publicly disclosing the sensitive information that had been stolen. It also places a restriction on media outlets reporting any details about the compromised data. By obtaining this injunction, HWL Ebsworth is aiming to safeguard the confidentiality of its information and limit the potential repercussions of any unauthorized disclosure. But all evidence suggests that BlackCat won’t be intimidated by this kind of measure. After all, the essence of its “business” is to act against the law.
What can be done?
There are a few conclusions to be drawn:
- Law firms should pay attention to security from the get-go and not see it as a mere formality imposed by clients.
- IT departments have to drive a cultural shift among legal professionals to help them view security as an essential driver for a successful legal business.
- Lawyers need to be committed to the adoption of new technology and everything that goes with it, including safe behavior in the IT world. With the rapid evolution of technology, basic knowledge of how to stay safe in the virtual world is a must – not only in the business environment, but in everyday life.
Authors: Vojislav Bajić, Lucy Marx