Cybercrime - Why attack a law firm?

Upon his capture in 1934, the bank robber Willie Sutton was asked by FBI agents, why he robbed banks. Sutton, replied, ‘Because that's where the money is’. From the perspective of today’s cyber-criminal, the money - or value - is contained within the treasure trove of sensitive client and firm-business information that law firms have under their guardianship.  

Research reveals that law firms are at increasing risk of cyber-attack, as are their clients. In fact, the threat is becoming so prevalent that cyber specialist practitioners envisage a time soon when general counsel and high profile, high-net worth individuals will insist on law firm security audits as part of the tendering process. 

Despite the lessons of the so-called ‘Panama Papers’ scandal of 2016, law firms continue to be soft targets for cyber criminals due to the sheer amount of confidential information that law firms hold, their lack of cyber security defences and their adoption and reliance on modern working practices and devices such as mobile phones, laptops and remote working. Many lawyers are further compromised by overseas travel and representing international clients, thus making them vulnerable to state-sponsored espionage. With threats ranging from hacktivists to foreign spies, it is clearly time for law firms to get their data security act together. 

To get a better sense of the cyber threats facing law firms we hosted a roundtable for risk and compliance professionals working in law firms and barristers’ chambers. Our expert contributors from software developers, insurers and law firms walked us through some of the major cyber security trends and risks and suggested ways in which lawyers could better protect themselves. 

  • There has been a significant rise in cyber-attacks of prominent individuals (CEOs, partners in law firms, high profile individuals etc.) and institutions. Often the attacker is silently ‘listening’ to communications to gain insider intelligence or access to sensitive data. Increasingly, hackers are deploying covert malware with a view to holding information hostage or threatening to disseminate sensitive data in exchange for a ransom.
  • Whilst there are some useful technological defences, the key issue is the human element – developing the right educational and cultural approach and deploying appropriate staff and resources to develop and implement firm-wide security strategies is the best way to effectively fight cybercrime. 
  • Many law firms are ‘careless’ with information generally, they do not have an information policy in place – let alone an information security policy.
  • The best way to protect your law firm from the worst cyberattacks is to make sure that your firm’s most important and precious information is well protected, it is not possible, nor desirable to build a fortress around everything.  Part of the due diligence process when taking on new work should involve a cyber risk assessment that considers whether the matter or the individuals involved are more susceptible to cyberattack than usual
  • Cyber security is not ‘the IT department’s problem’ – law firms that take a cross-departmental approach, with support from the very top of the firm, are most successful in tackling cybercrime.
  • It is not possible to stop all cyber attacks, but the response is critical – law firms must try to develop a culture that encourages people to admit to mistakes that lead to vulnerability immediately, they also need a tried and tested plan of action in place for when things go wrong.

If you are interested in attending a future Hook Tangaza event please register your interest with us: