Small businesses tend to be the most vulnerable when it comes to cyber attacks.
When a small business suffers a cyber attack, they are often advised to consult their attorney. But what about when it is the attorney that is the victim of a data breach? Unfortunately, the small business may become a victim also.
Last week’s article in the Wall Street Journal on the law firm attacks that occurred several months ago serves as a reminder that hackers are looking for data everywhere. Hackers may be looking for insider information on mergers and acquisitions, for key client information, for patent details, or status and details on litigation. It might be your legal information the hacker locates.
The FBI is said to be investigating a number of attacks on international law firms. According to this article in Bloomberg BNA, The FBI issued an industry specific alert last month (FBI alert 160304-001). The alert states that criminals are deploying an insider trading scheme.
The criminals may take the personal emails of executives or owners to be used in social engineering or phishing efforts to access information from your business’ system. A business owner is likely to trust an email purporting to come from his attorney and open any attachments or links. Another type of scam is where the hacker leverages information from the law firm’s system and connects it with information on LinkedIn. The criminal then sends believable emails, using LinkedIn contact names, with malware attached.
What a Business Can Do
Businesses should be mindful of information stored with all its suppliers and partners. While the business may have strong cyber security measures within its own system, risk may lie outside its own control. Business owners should have two conversations with its legal advisors. One is to discuss how the legal team will support the business when the business is hacked. The other conversation should be about how the legal firm safe guards its clients’ information.
Businesses should expect their attorney to have at least the same level of cyber security measures in place that the businesses has for its business. Businesses can request a security audit or verification of the firm’s security practices. Law 360 reported last year that a number of clients are doing this with their law firms.
Learn more about protecting small businesses at the National Cybersecurity Institute.
Bloomberg BNA (2016, March 11). FBI Alert Warns of Criminals Seeking Access to Law Firm Networks. Retrieved from https://bol.bna.com/fbi-alert-warns-of-criminals-seeking-access-to-law-firm-networks/
Hong, N. and Sidel, R. (2016, March 29). Hackers Breach Law Firms Including Cravath and Weil Gotshal. The Wall Street Journal. Retrieved from http://www.wsj.com/articles/hackers-breach-cravath-swaine-other-big-law-firms-1459293504
Maleske, M. (2015, September 22). 1 in 4 Law Firms are Victims of a Data Breach. Law 360. Retrieved from http://www.law360.com/articles/705657/1-in-4-law-firms-are-victims-of-a-data-breach