How to Not Get Hacked in 2024

After a record year for data breaches, law firms face more threats to their data than ever before.

1. Public statistics indicate that in 2023, more people's personal information was acquired through legal firm hacks than in any previous year.

2. Global hacker networks are becoming more advanced and able to defeat security safeguards put in place by law firms.

3. Businesses can identify weaknesses by removing outdated data, carefully reviewing suppliers, and retraining staff on phishing and multifactor authentication.

Remembering your law firm's IT staff, who just wrapped up what a number of legal cybersecurity specialists deemed the worst year ever for data breaches in law firms.

Some of the biggest legal firms in the world experienced hacking attacks last year from increasingly skilled and covert groups. Global cybercrime collective Cl0p launched a ransomware attack against Kirkland & Ellis, Proskauer Rose, and K&L Gates over the Memorial Day weekend.

A network breach at Bryan Cave Leighton Paisner resulted in the exposure of client Mondelēz International's data, compromising the personal information of 50,000 people. Furthermore, Orrick Herrington & Sutcliffe recently updated a data breach notification to reflect that 637,620 people's personal data was affected by a springtime breach.

In 2023, data breaches involving 28 law firms were reported to the attorneys general of Massachusetts, Maine, California, and Indiana. According to an American Lawyer investigation, the breaches affected the personal information of almost 760,000 individuals, more than in any prior year since those states started disclosing data breach information.

Litigation increased in tandem with the number of breaches and individuals impacted. Regarding the company's 2023 breach, Orrick resolved four different claims against it in December. Although BCLP was removed from one lawsuit, it is still a defendant in another. "Data breaches have been found by class action lawyers," stated Sharon Nelson, head of cybersecurity company Sensei Enterprises.

The fact that all of the Big Law businesses that were targeted in 2023 had cybersecurity safeguards in place highlights the difficulties that even the wealthiest legal firms encounter in protecting their networks from a worldwide network of hostile individuals. We chatted with a few cybersecurity specialists and attorneys to find out what steps businesses should take in 2024 to lock down critical data in order to help them stay on the cutting edge of data breach defense.

Get XDR

Minutes matter when a threat actor is inside your network. Extended detection and response, known as XDR, is helping law firms respond to network breaches as they occur.

“The whole point of XDR is you may have different tools in your environment to help stop things, monitor things and alert on things, but they’re different tools,” said Chris Loehr, EVP and CTO at Solis Security. “An XDR ingests the information from all the different tools and has automation built in to respond more quickly, and a lot of times automatically.”

While running XDR, law firms can instantaneously block access by an unknown user or isolate a computer or group of machines that may be compromised. “Ten years ago, you wouldn’t dare shut down or disable a server in the middle of the workday,” Loehr said. “In today’s world, if you see something suspicious, you do what you can even if it means suspending business in the middle of the day.”

Data: Delete, Compartmentalize, Encrypt

Law firms are notorious for hanging onto old documents long beyond their useful shelf life.

“Attorneys don’t want to delete something they wrote in 1990. They might need it in a brief,” said Melissa Ventrone, cybersecurity lawyer at Clark Hill. “Law firms tend to have terabytes of internal data. Even if a threat actor is in there for a limited time, they can still exfiltrate sensitive client data.”

It takes time to sort through decades' worth of briefs to find the important documents among the organizational liabilities, especially since law firms typically don't keep sensitive client data in an easily accessible format. Ventrone noted that there are applications available that can redact or delete personal information from documents in masse.

Ventrone suggests compartmentalizing data that needs to remain in order to limit the extent of a compromise. She explained, "You can lock down the data by various business units: Only the litigation group can look at litigation, and only the health care group can see health care."

Law firms may also choose to encrypt data that they are currently utilizing. According to Loehr, keeping encryption up within a company's network would make stolen data useless, but he also pointed out that none of the widely used document management systems for legal businesses provide this kind of service. Additionally, according to Ventrone, encryption is only effective if a legal firm can keep passkeys and passwords secure.

Fight MFA Fatigue

According to Microsoft, multifactor authentication, or MFA, can thwart over 99% of hacking attempts, making it possibly the most useful technology available to law firms for preventing threat actors from entering.

However, if staff members merely put up with any attempt to access the company's network, it won't work. The more frequently a company requests that its staff members approve access using MFA, the more accustomed some users will become to the prompts. "People who aren't technical are just pushing for approval," according to Loehr.

Therefore, law firms should instruct staff members to grant access requests to the firm's network only in cases when they have made an attempt to log in themselves. Some businesses are also switching from MFA to passkeys, which eliminate the need for third-party apps by utilizing the built-in mechanism on Android and iPhone smartphones. By switching to passkeys, the passwords that are still connected to some MFA systems are removed, making it impossible for a hacker to get a password from a gullible user.

Scrutinize Vendors, Limit Their Access

Data breaches in legal firms are often caused by vendors. Quinn Emanuel Urquhart & Sullivan notified many state attorneys general in July of a compromise involving client data following a ransomware attack on a third-party e-discovery vendor.

First and foremost, according to cybersecurity attorney Spencer Pollock of McDonald Hopkins, law firms need to thoroughly check the cybersecurity of vendors before letting them onto the network. He added, "They also need to demand to know which vendors these vendors are using."

In order to reduce the risk involved with giving outside parties access to the company's network, it is also essential to restrict access for approved vendors. It's possible that some of your printers need support from a third party who must log in remotely. Well, if it's a flat network, they can access the network too if they can log in again with just a username and password, according to Loehr.

Update Your Anti-Phishing Training

Artificial intelligence is being used by everyone these days, even hackers. Today's professional phishers use artificial intelligence (AI) to create flawless copy and replicate branding, unlike the sloppy or inconsistently written phishing emails of the past that easily revealed the scam.

According to Nelson, "AI can identify specific company images and symbols that are meant to be involved in a transaction." "A phishing email might not be obvious to you today, but there might have been indicators in the past."

PCS is a world-class leader in protecting data & identity for businesses and non-profits. We provide a critical service to businesses and non-profits by managing cybersecurity risks, including ransomware, crypto walkers, phishing emails, and other evolving cyber crimes. See how IT services can benefit your company.