by Nick Kael
Posted on December 14, 2021
Want to interview Nick?Contact
Today, virtually every business is fair game for cyberattacks and data breaches. However, law firms are especially attractive targets for cybercrime due to the sensitive nature of their work, which requires them to handle large amounts of highly confidential client data.
In fact, in the case of Panamanian law firm Mossack Fonseca and Company, a data breach became an existential threat. The firm, which at one time was the world’s fourth largest provider of offshore financial services, shut its doors after a data breach revealed that it had helped 140 politicians from 50 countries evade taxes. Governments around the world recovered more than $1 billion using documents the hackers released to journalists. Forbes claims the firm had very weak information security, including running old versions of key software that was riddled with vulnerabilities.
Mossack Fonseca and Company appeared to have been operating on the wrong side of the law and may have deserved to be shut down, but many prestigious white-shoe law firms have also fallen victim to hackers.
Grubman Shire Meiselas & Sacks, a top entertainment law firm, lost an estimated 756 GB of sensitive client information to a cyberattack. The firm’s clients include Barbra Streisand, Lady Gaga, U2, Robert de Niro, Andrew Lloyd Webber and Sony, among many additional A-list firms and stars. The hackers released a portion of one of Madonna’s contracts to prove they had the data and give credibility to their ransom demand. In an interview with Variety, one security analyst characterized the release of Madonna’s information as “the equivalent of a kidnapper sending a pinky finger,” to show they have the goods and are serious about acting on their threats.
Law firms have also been victims of supply chain attacks, as we’ve mentioned in a previous post. One of the top law firms in the world, Jones Day, had many gigabytes of highly confidential data stolen via a breach at file transfer service Accellion. Jones Day refused to pay a ransom, and the hackers published gigabytes of confidential client information on the Dark Web. Members of former US President Donald Trump’s administration and his campaign were among the firm’s clients, although there is no information as to whether their files were stolen.
A 2017 ransomware attack on DLA Piper, one of the largest law firms in the world, crippled the company’s servers and email. The firm detected the malware quickly, before client data was believed to have been compromised. However, operations were severely impacted: Email was down for six days, and older documents were inaccessible for almost two weeks. Insurance industry brokers estimated the firm’s direct and indirect costs were “in the millions.” The firm’s IT department put in 15,000 hours of paid overtime to get back on track.
There are several reasons that law firms are attractive targets for hackers:
As desirable targets, law firms must safeguard their systems and resources against a wide range of attacks:
Shifting to a Zero Trust approach to network security should be a no-brainer for lawyers, who know the importance of verifying identities and privileges before bestowing trust.
The old network security model is focused on creating and maintaining a secure perimeter around the company data center. Once a user was verified, they were granted access. Greatest efforts went into protecting the perimeter.
But today, traditional perimeters are largely obsolete. Data and applications may be located partially or entirely in public and private clouds. Users may be working from home, the office or someplace else entirely. Email and always-on browsers add unprecedented permeability and risk to the equation.
Detection-based techniques cannot be relied on to protect against zero day threats and the millions of malicious websites continually spun up at new URLs.
Zero Trust is not a single security product or technique, but rather a global approach that operates on the principle that all traffic is dangerous unless proven otherwise.
A comprehensive Zero Trust platform, such as Ericom Software’s ZTEdge, protects against cyberthreats in numerous ways, including the following:
Zero Trust is the state-of-the-art approach for cybersecurity, as indicated by the recent White House executive order requiring US federal government agencies to adopt it, and encouraging the private sector to do so as well.
Law firms are especially attractive cybercrime targets due to the wealth of valuable confidential information they hold, which criminals can exploit in multiple ways. As such, responsible law firms should lead in proactively moving to Zero Trust approaches to cybersecurity with easy-to-implement platforms like the ZTEdge Cloud Security Platform.
OWASP®, the Open Web Application Security Project®, recently updated their list of the Top 10 Web Application Security Risks. An online community led by the OWASP Foundation, the project was established in 2003 to provide developers and security professionals with resources to help improve web application security. Because virtually every organization today uses web apps, […]
This year’s DBIR confirms that when it comes to data breaches, users are not their employers’ worst enemies, but they may well be their enemies’ best helpers.
Secure Access Service Edge (SASE) and Zero Trust (ZT) security are two of the most important security concepts being talked about in the industry today. Are they the same? Or different? Interrelated in some way?