In 2019, every respondent to the PwC Law Firms Survey reported suffering a security incident. This is 40% more than the previous year, and almost a 60% increase from 5 years ago. On one hand, this suggests that law firms are being increasingly targeted for their valuable data. On the other hand, there is also the possibility that security incidents had previously gone undetected, meaning that the high reporting rate actually indicates an increase in strength and awareness of cybersecurity among law firms.

The top three cyber threats to law firms are:

1. Phishing attacks
   Phishing is a type of social engineering where attackers influence users to disclose information accidentally or click a bad link. Phishing is most prevalent over email, with attackers targeting both law firms and clients by spoofing one party’s email address to make the correspondence look more convincing to the recipient. 100% of top 10 firms surveyed by PwC reported a phishing attack.
   
2. Malware attacks
   Malware is short for “malicious software”, and describes code designed to gain unauthorized access or cause damage to data and systems. Ransomware is a type of malware that blocks access to files or data on a device or network until a ransom is paid. Email is also the most common attack vector for ransomware: it is estimated that 80-90% of ransomware attacks enter via email.
   
3. Data breaches
   A data breach is the intentional or unintentional exposure of sensitive or confidential information to unauthorized parties. A notorious example is the Panama Papers hack in 2016, in which Panama-based law firm Mossack Fonseca lost 2.6 Terabytes of data, the largest amount of data lost in a single incident ever recorded. It was believed that the breach happened because the law firm’s client portal had not been updated in 3 years. The firm never recovered from the damage to their reputation.

What can law firms do about these cyber threats? First of all, use software that has been certified by independent authority that includes regular penetration testing. Secondly, ensure that information technology systems in the firm are updated to minimize the weaknesses in the system that hackers can exploit. Thirdly, the firm should devise clear and practicable information technology handbook which delineates protocols when handling different types of information. For instance, limit downloads from unfamiliar or unsafe emails and websites to guard against malware attacks. Fourthly, train employees to maintain good cyber security practices such as using strong passwords and looking out for unusual correspondence that may be a phishing attempt.

Cyber threats have persisted and will continue to evolve as security measures develop. Gartner forecasts global spending on cybersecurity to reach US$133.7 billion in 2022. By cultivating good cyber security practices throughout all levels of the organization, law firms can establish a solid foundation to build a cybersecurity strategy that can grow to detect and withstand future threats as and when they arrive.

LEGALX adopts an internationally recognised framework for best practice in Information Security Management System (ISMS) and understands the need for appropriate controls in risk management when dealing with important information. To ensure your IT system has adequate cyber security protection, visit our website or contact us today to learn more about LEGALX and its cyber security standards.