Law firms and legal departments handle sensitive and confidential information on an unrivaled scale in the corporate world. Hackers and other cyber criminals recognize this, making legal entities prime targets for attacks. In fact, as early as 2009, the FBI cited the legal industry as a group that could easily succumb to cyber incidents.
According to a recent New York Times article, many large corporate clients are no longer satisfied with the way law firms are securing their information. Big business is demanding that the firms charged with keeping information on their matters increase their efforts to safeguard against the ever-expanding threat landscape of hackers, phishing attacks and data leaks.
Law firms as targets
- 45% of firms have been infected with virus, spyware or malware
- In May 2014, a grand jury indicted five Chinese military hackers in a case involving an AmLaw 100 firm.
- In 2012, the law firm experienced spearphishing emails initiated by Chinese hackers in conjunction with the firm's representation of a U.S. solar panels company using a Chinese supplier.
Attacks by the numbers
- Average cost paid for each lost or stolen record: $145 (up from $136 in 2013)
- The average time to resolve a cyber attack is rising, climbing to 45 days in 2014, up from 32 days in 2013.
- 30% of all data breaches are caused by negligent employees or human error
- The average cost of cyber crime climbed by more than 9% to $12.7 million for companies in the United States, up from $11.6 million in the 2013
- Only 19.4% of firms have an intrusion prevention process in place
- 22% of firms don't have documented technology policies
- Nearly 80% of law firms view cyber security and privacy as one of their top 10 risks
- Only 38% of firms have file access restriction in place
- Only 26.8% of firms backup their files to an offsite location
8 Essential activities to improve security information systems
- Provide security for Internet connections
- Install and activate software firewalls on business systems
- Patch all operating systems and applications
- Make backup copies of important business data and information
- Control physical access to business computers and network components
- Secure wireless access points and networks
- Train employees in basic security principles
- Limit access to data and information by employees, and limit the authority to install software