Of the many industries attracting threat actor attention, the legal sector is gaining heightened interest from run-of-the-mill cybercriminals and nation-state actors alike. In late February, the State Bar of California disclosed that it experienced a breach allowing access to thousands of case records and case profile data, along with confidential court records. This disclosure serves as yet another reminder of the risk carried by the legal industry and the imminent need for security readiness, as the value of client data privacy and security increases.
Between the highly regulated nature of the legal industry and the client trust at stake, law firms must prioritize investment in improving their security posture—a daunting task for any organization. Here are a few places to start when reinforcing the cyber posture of a legal organization.
Identify New and Existing Risk Factors
Whether it’s a productivity tool or a legal database engine, any technology that has access to a firm’s legal data can expand the attack surface. Ensure that any new tools are vetted and monitored closely by IT and security teams to prevent misconfiguration or misuse.
Along the same lines of software risk factors, make sure the security infrastructure is keeping up with remote workers. As lawyers use personal devices and access data from new locations, it’s critical to ensure that all endpoints are monitored and secured. Reducing your attack surface starts by having a complete view of all devices on your network; audit all assets and determine where the risk factors are, be it unpatched devices or software. At the end of the day, you can’t secure assets you don’t know you have.
Consider the Most Relevant Threats
While it’s good to stay abreast of all major incidents and cyber threats, it can be overwhelming to determine which threat of the day is of heightened risk to an organization. For legal businesses specifically, the confidential nature of client and business data makes ransomware especially lucrative for attackers, whether the end goal is to simply lock up a network for a ransom or leak information for profit.
In addition to the ever-present risk of ransomware, phishing is a particularly relevant threat to legal organizations as well. Using targeted social engineering campaigns directed toward partners and other high-ranking organization members, threat actors can obtain organization credentials to access IT networks and affiliated sites, including bank accounts. These credentials are extremely valuable to threat actors and can serve as the keys to unlock troves of personally identifiable information.
Reinforce Cyber Protection with Protocols and People
Legal organizations, especially those affiliated with state and federal agencies, should reinforce existing security operations with thorough and thoughtful planning. Adopt the mindset that the question of whether a cyber incident will occur is a matter of “when” not “if.” Ensure that data protection tools and policies are implemented and followed so you can demonstrate compliance with regulations when audited. Having a plan to not only prevent breaches but also to respond to and recover from them is critical.
Create a security-conscious workforce and train staff of all levels to be aware of security risks. By keeping employees updated on known threats and best practices relevant to the latest threats, teams will be empowered instead of shamed into greater awareness of the security landscape.
The impact of the current threat environment resonates throughout the field of law since firms are often required to store and share vast amounts of personal data, with added challenges of state and general compliance standards, and in some cases, international regulations to meet.
The State Bar of California’s disclosure is a reminder to the legal industry that the stakes are incredibly high, and no industry is immune to cyber threats. As security teams work with legal organizations to protect and defend against today’s threats, it’s critical to acknowledge the high stakes that this industry is running up against and work together to end cyber risk.
This article originally appeared in Forbes.