There's no question about it: Law firms are highly valued targets for hackers. This was the takeaway from part 1 of this blog post, which highlighted some recent findings about the current state of cybersecurity in the legal sector. One of the most telling stats was that around 25 percent of law firms with 100 or more employees have been the victim of a data breach.
Despite the severity of that information, and the possible implications of a hacker breaching a law firm, it can easy to dismiss statistics; that is, until you become one. And very recently, several major law firms have joined the long list of organizations in the legal sector that have been victimized by cyberattackers. As if on cue, it would seem that many of the fears we outlined in part 1 of this post are starting to materialize in a huge way.
The Panama Papers
One of the biggest trending news stories at the moment is the recent leak of more than 11 million documents belonging to Panamanian law firm Mossack Fonseca. The exposure of this information has caught wealthy, powerful people red-handed in tax evasion, not the least of whom is Icelandic Prime Minister Sigmundur David Gunnlaugsson – he promptly resigned in the wake of the incident.
So far, the dominant angle for this story has been the corruption of several former heads of state and prominent business owners, and the hand that Mossack Fonseca had in helping them perpetrate their fraud. Until recently, the fact that someone was allegedly able to infiltrate the law firm's databases in order to steal the information in the first place had sort of been swept under the rug. According to the BBC, Ramon Fonseca stated that the leak was not an "inside job," but the rather the work of hackers.
Granted, the fact that Mossack Fonseca may have been the victim of cybercrime in no way undermines any illegal activity it may or may not be guilty of. However, it does, or at least it should, prompt a bigger discussion about cybersecurity in the legal sector. If this was in fact a hack, how was it achieved? And what's to stop cybercriminals from orchestrating similar breaches for more sinister purposes? Will it happen again?
Just the tip of the iceberg
Shortly before The Panama Papers were leaked, two prominent law firms reported being breached. According to The Wall Street Journal, hackers broke into U.S.-based firms Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, which reporters Nicole Hong and Robin Sidel refer to as "some of the country's most prestigious law firms."
As of the latest reports, the FBI is investigating the incident to get a better idea of what information, if any, was pilfered, and to what end. The most likely scenario is that the hackers were trying to steal information that could be used for insider trading, but this possible motive has yet to be confirmed.
Relative to the Panama Papers, the Cravath and Weil Gotshal breaches flew under the American public's radar. Hopefully, the same can't be said for law firms in the U.S. and elsewhere.
The time for change is now
"Cybercriminals always find a way in."
For years, the goal of cybersecurity was to create impenetrable firewalls and defenses that even the most sophisticated hacking groups would not be able to crack. The problem is, cybercriminals seemingly always find a way in. Even if, in theory, there were such a thing as ironclad cybersecurity, social engineering – tactics that manipulate insiders – avoidance of best practices and other internal threats to an organization will never really go away. And as long as these problems persist, there will never be impenetrable cybersecurity.
Therefore, law firms do not just need a big, shiny wall. They need eyes and ears on the ground in their network capable of detecting intrusions when (not if) they happen; they need a security operation center, and in particular, SOC-as-a-service.
Much like other as-a-service offerings, a SOC is managed by an expert professional so that no extra work is placed on an organization. A dedicated security engineering team vigilantly monitors the network for signs of suspicious activity that may be indicative of a data breach, while also identifying potential flaws in a cybersecurity strategy.
The recent string of cyberattacks against law firms is only the beginning. And the only thing we hate saying more than "I told you so," is having to say it twice.
Don't let your law firm be caught off guard. Enhance your network security today with SOC-as-a-service.