Law Firms Are a Hacker’s Dream
When we talk about some of the tactics, techniques, and procedures (TTPs) used by hackers during a cyber breach, we usually think of things like sophisticated malware, military-grade encryption-cracking tools, and ransom notes delivered to the world via Twitter. We usually don’t think about the countless hours the attackers had to spend weeding through the terabytes of stolen data to find the nuggets of valuable information they were looking for.
More often than not it takes more time to filter through the data than it does to steal it. If it takes a lot of time and money to search through massive amounts of stolen data, why do it if you don’t have to? Why not employ an entire fleet of people to do it for you upstream in the process, pro bono of course?
Doing the Hacker’s Dirty Work
This is exactly why the legal industry is considered one of the most target rich environments for hackers right now. Law firms do a great job at collecting, aggregating, analyzing, and presenting sensitive data – they just don’t protect it that well. The legal industry has some of the most advanced data aggregation tools and well-trained employees who know how to use them; they’re just not skilled in the art of protecting data.
This isn’t meant to imply that law firms don’t take their responsibilities as the custodian of their clients’ data seriously because most do. The purpose of this blog is to point out the fact that law firms represent a variety of industries, have data rich IT ecosystems, and can be a great launching pad for hackers who want good data that’s already been filtered and massaged for them.
A Situation of “Soft” Compliance
Why are law firms good at the acquisition of data and notoriously challenged at protecting it? This can be attributed to many of the usual suspects like budget cuts and staffing shortages, but the underlying reason is that the legal industry is one of the few remaining self-governed territories left untouched by an industry-specific version of IT security compliance.
Sure, firms have to adhere indirectly to legal and regulatory compliance as requested by their clients, but right now security is still a discretionary expense at firms that is not mandatory. “Soft” compliance requirements passed over by clients aren’t nearly as effective as the financial penalties associated with real compliance frameworks like HIPAA and PCI-DSS.
This doesn’t mean that law firms go out of their way to get breached nor does this mean that they’re the most profitable organizations to steal data from – it means that firms should be on high alert like the rest of us, maybe a bit more given how much value they might add in the attacker’s favor.