Law Firms: Cyber Criminals’ Next Top Target?
Without breach notification requirements in place, it can be hard to gauge the popularity of law firms as targets for cyber criminals. But if recent findings are any indication, the legal industry may well be the next lowest hanging fruit for attackers.
Last week, the New York Times DealBook published a story about Citigroup’s recent finding that major U.S. law firms are frequently experiencing data breaches yet rarely disclose these events publicly. This finding came to light in a report from Citigroup warning banks that law firms may be a top target for cyber criminals. As Citigroup notes, it makes sense that law firms would be attractive targets given that they regularly access and store sensitive client data as part of their day-to-day operations.
For banks specifically, that data could include confidential information concerning mergers and acquisitions, investments, business strategies, and other intellectual property. To exacerbate the issue, the report also found that data security measures employed by big law firms often lag behind those of other industries that are also commonly targeted in cyber attacks – say, for example, retail, healthcare, or manufacturing.
However, because so many law firms fail to disclose these incidents publicly, Citigroup concluded that it is “not possible to determine whether cyberattacks against law firms are on the rise.” While it may not be possible to quantify the exact amount of cyber attacks and data breaches impacting law firms, there is certainly plenty of recent evidence that would indicate that these incidents are indeed on the rise.
For one, Cisco’s 2015 Annual Security Report named law firms as the 7th highest target for cyber criminals last year, ranking behind only the pharmaceutical/chemical, media/publishing, manufacturing, transportation/shipping, aviation, and food/beverage industries. 2015 was the first year that the legal industry made the top ten most targeted verticals in Cisco’s report, indicating a nearly 50% year-over-year increase in the likelihood that law firms would be encounter malware attacks.
Citi and Cisco aren’t the only companies to call out law firms as increasingly popular targets for cyber criminals, however. In 2012, Mandiant estimated that over 80 of the top 100 (by revenue) U.S.-based law firms had been hacked in the previous year – a staggering number, but less of a surprise when you take into account both the type of confidential client data those firms have access to as well as the companies that comprise their clients.
U.S. law enforcement agencies – particularly the FBI – have also placed heavy emphasis on advising law firms as to the threat of cyber attacks as well as urging top firms to improve information sharing and disclosure when incidents do occur. Both threat intelligence sharing and data breach disclosure have bubbled up as top-priority issues for U.S. lawmakers this year, with President Obama proposing new federal laws requiring data breach notification in his State of the Union Address this past January and two new bills for cyber intelligence sharing – the Protecting Cyber Networks Act and the Cyber Information Sharing Act – being announced last week. Unfortunately, while these bills represent a new focus on cyber security at the federal level, both were met with criticism by privacy advocates and security experts.
So will law firms be the next top target for cyber attackers? If recent news are any indication, the answer is an obvious “yes.” However, without effective laws for breach notification and cyber information sharing, it may remain difficult to truly gauge the threats facing law firms for some time to come. While they may not be suffering the public embarrassment that accompanies the disclosures required of HIPAA or PCI-DSS regulated industries, law firms will undoubtedly start losing clients as the unregulated “business grapevine” starts spreading the word about sensitive data lost as a result of lax data protection practices. The onus for protecting sensitive client data lies on law firms themselves and they must start to take action to do just that.
More from the Digital Guardian Data Security Knowledge Base: