Cyber Security: As hacks increase, law firms should guard their weak spots

By Carl Mazzanti

Law firms are increasingly getting attention from a group they would rather avoid: cyber criminals. According to a recent survey, global cyberattacks rose 7% overall in the first financial quarter of 2023 compared with the same period in 2022, while law firms ranked in the top 10 industries targeted by hackers. Partners from large and small firms alike are increasingly searching for answers, and many we speak with are surprised to learn that they can start to shore up their cyber defenses with some relatively simple steps.

It is no surprise that firms are a top target for hackers — large and small ones, even a solo, may have sensitive and valuable information about multiple companies or entities stored in their database. This sets them up as a kind of one-stop destination where cyber criminals can lift a treasure trove of data with a minimum of effort.

Consider some cases, including one earlier this year where it was reported that the personal data of more than 50,000 current and former employees of Chicago-based snack giant Mondelez Global — manufacturer of staples such as Oreo cookies and Ritz crackers — had been exposed, thanks to a data breach at an Am Law 100 law firm. The hacked information included sensitive details: employee dates of birth, Social Security numbers, and home addresses.

And according to published reports, similar hacks took place at other notable firms, including an April breach at a global practice that advises such sports clients as Major League Baseball, the National Basketball Association, Major League Soccer, and banks like Morgan Stanley. In this case, client data that included sensitive financial information, was exposed to hackers. The primary victims in these and other cyber-attacks are the victims whose data is exposed, of course, but the reputation and liability exposure of the hacked law firm is also at stake.

To help guard against these kinds of cyber breaches, firms may start by working with a cyber security services provider to develop a written acceptable use policy (AUP) that sets forth general rules that employees should follow when they interact with the firm’s network, computers, laptops, software, and mobile devices. The AUP will document how employees should use employer-provided technology and personal mobile devices like smartphones and tablets while setting guardrails around the use of unsecured personal devices that may be more vulnerable to a breach.

An effective AUP will also “whitelist,” or approve, admissible websites that employees can access with company-owned devices, enforcing the policy with content-filtering software and firewalls. An AUP will include policies for network access by personal devices and should detail policies about lost or stolen ones, as well as out-boarding procedures for employees who leave the firm.

Firmwide password policies should also be developed, with employees advised to use strong passwords that contain at least eight characters, mixed cases, symbols, and a number. Additionally, passcodes should be required for cell phones to help prevent unauthorized persons from compromising a stolen device. Multi-factor identification (MFA)— supplementing a username and password with a one-time password or code received via email or mobile app — should also be an essential security measure.

And because hackers typically exploit known vulnerabilities in such commonly used software programs as Office 365, it is advisable to implement a patch management strategy. An IT security expert can assist in ensuring that security patches are downloaded for a firm’s servers, access points, desktops, and laptops in a timely manner, ensuring that their cyber defenses are all up to date.

An updated firewall can function as a front-line defense against hackers, blocking everything that is not specifically allowed from entering or leaving the firm’s network. Depending on the firm’s activities, common blocks may include international access and potential public domain access. Once a quality firewall is installed, a firm should practice vigilant firewall management while routinely updating firewall policies to block or allow specific types of network traffic.

Finally, cyber security is not a “once and done” protection. New security factors enter the picture frequently, from changes in the supply chain to additional connected devices. Firms and their cyber security advisors should conduct periodic network assessments and penetration testing, which will allow IT security professionals to map the location of all assets and address any vulnerabilities. A bit of attention at the front end can save time and trouble later.

BIO: Carl Mazzanti is president of eMazzanti Technologies,  a cyber security and IT support organization based in Hoboken, NJ. The company can be reached at [email protected]