The 3 most common cyberattacks targeting law firms

The 3 most common cyberattacks targeting law firms

Recent years have seen a spate of high-profile cyberattacks against law firms, but it’s not only the headline-grabbing events that business leaders have to worry about. It’s also the multitude of smaller attacks that target local firms. In fact, around a fifth of law firms claim to have suffered a data breach or other forms of cyberattack. As custodians of huge amounts of sensitive data belonging to their clients, even small law firms are highly lucrative targets. Staying ahead of the trends and proactively protecting your organization will undoubtedly pay off the next time your firm is targeted.

Here are some of the most common ways attackers exploit law firms:

#1. Social engineering scams

With multiple layers of security in place in most systems, it’s rarely easy to exploit technology vulnerabilities, so theft by hacking isn’t the most common threat of all. Since attackers always take the path of least resistance, they go after the weakest link, which is almost always human ignorance. What makes social engineering scams so dangerous is that there’s no way for technological and administrative solutions to completely guard against them.

As with any other industry, social engineering attacks against law firms are often carried out to gain access to confidential information, such as login credentials for online accounts. Others may target payment information. In the legal sector, specifically, an attacker masquerading as a colleague might attempt to dupe an employee into sending over highly sensitive case files. These personalized attacks are among the most dangerous threats of all. They may also be used for surveillance, rather than information theft.

#2. Ransomware attacks

Cyberattacks don’t always target sensitive data, and neither do they necessarily involve theft. The last few years have seen a surge in ransomware attacks, in which malicious software is used to encrypt all data on a device and compelling you to pay for a decryption key to regain access. Any business or individual is a potential target for ransomware — the more reliant they are on access to their data, the more attractive targets they become.

In the legal sector, ransomware attacks typically manifest themselves and do the same sort of damage as they do in any other business. However, they might also be launched by individuals who are less interested in financial gain and more in shutting down a case in progress. Law firms are also common targets for hacktivists, corporate spies, and even state-sponsored attackers.

#3. Supply chain compromise

As firms find themselves trying to maintain larger and larger vendor portfolios, with each one typically having access to some of their systems or information, potential attack surfaces have expanded enormously. That’s why a lot of data breaches and other incidents don’t happen in the firm itself, but somewhere along the supply chain. This could be a cloud vendor or offshore accounting firm, to name a couple of examples.

It’s imperative that you maintain full visibility into your supply chain, including any organization you do business with in whatever capacity. Follow the principle of least privilege to grant access only to the information needed for a partner to provide the service you need. The same rules should apply to your employees to reduce internal threats. Always carry out due diligence when evaluating suppliers or business partners, and make sure you have all the necessary legal and operational agreements in place around how your data is handled.

Vertex brings 12 years of legal IT experience to help law practices in Toronto enable growth without adding risk. Call us today to turn your IT from a hassle into an invaluable asset.

Like This Article?

Sign up below and once a month we'll send you a roundup of our most popular posts