International security authorities spent close to two years pursuing a criminal site called Darkode, where hackers could buy and sell malware meant to steal information. On the international site, which could only be accessed with a referral and a password, hackers advertised and sold their homemade software. Criminals who bought it could steal anything from Facebook follower lists to database account passwords.
The sophistication of Darkode shows just how organized hacking has become. The eventual government takedown didn’t stop the site altogether, either. Darkode was resurrected with improved security, showing that although many people were arrested in the sting, several key players were able to escape prosecution and get back to business.
Law firms are especially tempting to cyber criminals because of the value of the sensitive information stored on their networks. A majority of law firms have experienced some sort of hacking, with law firms that handle government contracts and international business being targeted most often. About 80% of the largest 100 law firms have experienced some sort of violation. The sensitive information on lawyers’ computers can be invaluable to foreign governments, stakeholders and investors, and perhaps most worrisome, criminals.
As quickly as we build new technology to keep criminals out, hackers are working around the clock, and using sophisticated tools like Darkode to penetrate your security.
Why Are Law Firms so Susceptible to Hackers?
Law firms are hesitant to go public and share information because exposing data breaches could compromise their reputation and potential clients’ trust. The problem with this lack of openness is that law firms aren’t able to learn from one other’s experiences. The FBI is currently making efforts to work privately with law firms to learn about their hacking experiences and to offer assistance when firms experience attacks.
Common Hacking Tactics
The leading hacking technique used on law firms is spearfishing, a targeted attack against a specific organization. In a spearfishing approach, hackers spend a significant amount of time researching a company so they can infiltrate it. They may send personalized emails engineered to motivate people to respond quickly. The emails themselves can’t harm you, but responding to them definitely can.
Because of the sophistication and attention to detail involved in spearfishing attacks, these emails are often very believable. Law firms are also especially vulnerable to ransomware, which encrypts a firm’s information and then demands a ransom for its restoration.
Hackers also use social engineering to get into law firms’ systems. Social engineering works because the people who give out the information may think they are giving out harmless information. However, hackers use this seemingly innocuous information to get into accounts and databases. If someone asks where you went to college, you might not bat an eye before answering. However, imagine all the different accounts you’ve signed up for online. Somewhere, the security question might be “What was the mascot of your college?”
Once a hacker uses social engineering to gain access to some of your personal information, they can use it to gain your trust in spearfishing campaigns.
Keeping Your Firm Secure
While it may seem like the biggest law firms would be most tempting to hackers, small firms have also become a target of enterprising thieves. Being attacked by hackers costs firms money, and large law firms invest in security. In contrast, about 90% of small and medium businesses lack any protection on their customer information and email. Because small businesses spend less on security, cybercriminals see them as easy prey.
Treat your electronic information as if it were an extremely valuable asset that criminals are actively trying to take. It is. You wouldn’t leave your actual files outside for anyone to take, so be just as cautious with your electronic records.
Don’t bypass extra security measures. Use them. For example, Gmail’s two-step verification makes it much more difficult for anyone to compromise your account.
Know What to Look For
Learn how to spot unauthentic emails. Keep in mind that hackers are getting smarter at making fake mail look like real mail. Look out for offers that are too good to be true, vague details or addresses, misspellings, and grammatical mistakes. Reputable companies have copy editors. Malicious hackers generally don’t. On the other hand, some of the more sophisticated hackers can afford copy editors too. A professional-looking email can still be dangerous.
Stay Up to Date
Have fire drills. Because hackers are constantly evolving, so must security. Send fake phishing emails to your employees to see how they respond. One of the best things lawyers can do to avoid hacking is to stay educated about the current attack vectors, especially those used against law firms.
It is your responsibility to ensure the safety of your clients’ information.
Use Common Sense
Finally, but perhaps most important, adopt the skills you use in your personal accounts in your business accounts. Even if a password does not require a lowercase and uppercase letter, symbols, and numbers, why not use them anyway? They work. Do not use the same password across all of your sites. Change your passwords often. In the end, building the most secure system in the world is pointless if the password is 1234.
Start securing your law firm’s data today with our 4-Step Computer Security Guide.
Featured image: “Hacker in Work. High Speed Computer Keyboard Typing by Professional Hacker. Hacking the Internet Photo Concept.” from Shutterstock.