Cyberattacks on law firms are up sharply
'How much security do you really need? The answer is you need as much security as your data requires'
Steven Teppler, co-chair of the newly created Standing Committee on Cybersecurity and Privacy Law, could not have asked for a better illustration.
As he waited to present the Professional Ethics Committee’s June 22 free CLE, “Cybersecurity, Ethics, and the Law,” news was just breaking about a massive data breach at the international firm, Bryan Cave Leighton Paisner.
“We’re waiting for the details,” Teppler told audience members as they filed into a Boca Raton hotel ballroom. “Perhaps it was a nation or state actor.”
The attack on the 1,200-lawyer firm exposed sensitive client data belonging to Mandelez International, the company that makes Sour Patch Kids, Oreo, Chips Ahoy, and Ritz Crackers, to name a few. The personal data of more than 50,000 current and former Mandelez employees was stolen, according to news reports.
Every Florida lawyer, regardless of firm size, should take the incident seriously, said Ft. Lauderdale attorney Franklin Zemel, the Cybersecurity and Privacy Committee’s other co-chair.
“There are dozens of well-publicized law firm breaches,” Zemel told the audience. “I can tell you that what’s been reported is a fraction of what’s going on because when we get hacked, it’s not something that we want to call the media about.”
According to the latest Forbes industry study, the “insurance/legal” sector saw 636 weekly attacks in 2022, a 68% increase from 2021.
“When the new report comes out, I’m pretty confident we will see triple-digit increases,” Zemel said.
The latest ABA cybersecurity report indicates that 27% of law firms reported a security breach in the past year.
“That sounds really awful, and it is, but more than 25% said they didn’t even know if they had been breached at all,” Zemel said.
Joining Teppler and Zemel as presenters for the hour-long segment were Eric Hibbard, director of product planning, storage networking & security for Samsung Semiconductor, and Mary Frantz, chief information & security officer at Cyber Nines.
Experts say lawyers have long been prime targets for ransomware attacks, in which the perpetrators encrypt a victim’s files and demand payment for a key that restores access.
Cybercrime is evolving so relentlessly, that Zemel refers to standard ransomware attacks as “the good old days.”
“Jigsaw,” a more sophisticated version of ransomware, takes its name from a puppet in the “Saw” movie series, Zemel said.
“Jigsaw was kind of clever,” he said. “It started deleting your data, every hour, and the puppet would laugh at you. It was traumatizing and it was designed to induce people to pay.”
In August of 2022, “Black Cat,” started spreading worldwide.
Zemel calls it “ransomware on steroids.”
“One of things Black Cat does is that it disables security for the entire system,” he said. “The average time that threat actors are in a system before you even know it is about eight months.”
Unlike a traditional ransomware attack that immediately denies access, Black Cat lurks in the background for months, searching for the most valuable secrets, Zemel said.
The program can sense when someone is searching for it, and delete itself, Zemel said.
“It’s less and less about ransomware and more and more about extortion,” he said, adding perpetrators will demand payment from the law firm and clients.
The days of installing an anti-virus program and forgetting about security are long over, Zemel warns.
“I keep getting this question, ‘Franklin, can’t I just set this anti-viral program, just turn it on, and I don’t have to worry about it?’” he said.
The answer is an emphatic “no,” Zemel warns.
Prevention, including ongoing training for firm employees and hiring experts to conduct periodic assessments will reduce the risks.
But no prevention is foolproof, the experts warn. Backups and response plans are essential, Zemel said.
“If you get shut down, this is not the time to be saying, what do I do? Who should I be calling? I don’t know what to do.”
Research shows that cloud storage increases security for many lawyers, but they need to ask vendors about their security plans, the experts say.
“How much security do you really need?” Teppler asked. “The answer is you need as much security as your data requires.”