A law firm concern - Claremont Graduate University

CYBERSECURITY: A LAW FIRM CONCERN
Allan Mugambi and Noopur Kore
Claremont Graduate University, Center For Information Systems and Technology.
WHY SHOULD LAW FIRMS CARE
EXAMPLES OF LAW FIRM INTRUSION
Law firms are having a fast digital evolution.
HIGH VALUE TARGET
• Law firms have aggregated / summarized data
from organizations.
• Law firm clients such as banks and hospitals have
their data secured but law firms are the weak
link.
• If a law firm is attacked, the attack will spread
laterally to other networks and their data get
compromised too.
SENSITIVE DATA
• Law firms have volumes of sensitive information.
• They have information on deals, intellectual
property, mergers and acquisitions.
• Personal bank, hospital, business or insurance
information could be here.
VULNERABILITY
• Law firms have worse security than their clients.
• Some law firms outsource IT capabilities.
• Connectedness and lawyer culture.
RESEARCH POSTER PRESENTATION DESIGN © 2012
www.PosterPresentations.com
POTASH HACK
• China based hackers targeted the law offices
of the lawyers working on a deal to have an
Australian company acquire the world’s
largest producer of potash.
• The acquisition was by an Australian
company looking to pay $40 billion for the
Canadian firm.
• The attack spread to several law firms and
Canadian treasury ministry.
• It started at a law firm.
PITTSBURGH HACK
• A fired law firm worker retaliated against his employer
by using one password provided to him to get through
to the law firm's VPN.
• The hacker installed malware that enabled him to
capture passwords of anyone on the firm’s network.
• The hacker, identified himself as anonymous, later
informed the law firm of the security breach stating
that their backup files had been copied and
deleted. Furthermore, they would use the data
accessed in any way against the law firm.
• The hacker was arrested and convicted to a two year
probation, community service, and requirement to
notify his employer of the conviction.
PROBLEMS
Lawyers are susceptible to having valid
business correspondence with people they
do not know.
Lawyers, by nature do business with
criminals.
Lawyers, by trade are in the business of
“responding quickly” and be easily lured by
phishing emails.
Lawyers give a high value to confidentiality.
Lawyers access their information mostly
over insecure mobile devices.
SOLUTIONS
Increase security by segmenting the
network
Be careful what data is outsourced.
Keeping sensitive data off line
Save important files on computers
not connected to the Internet
where possible.
Develop a cyber security policy
Determine on one centered on
people or one centered on policy.
Instill a culture of security among lawyers
Watch out for common errors that
could render data insecure.
WHAT SHOULD CHANGE
• As law firms see a digital transformation they
also need to keep in step with cyber security.
• Digitization of law firms coupled with digital
communication such as rampant use of email
are some of the factors contributing to
information insecurity for law firm data. It
should be curbed or find an alternative.
• Clients will continue to demand that law firms
improve on information security on the
cyberspace. Hence, law firms should develop
infrastructure for security or outsource it.
• Access to sensitive information on wireless
devices over insecure connections means
greater vulnerability for sensitive information.
Law firm employees having access to this
sensitive information should be educated
about the vulnerabilities.
REFERENCES
• Ames, J. (2013). Cyber security: Lawyers are the weakest link.
Lawyer, 27(44), 1.
• Conte, A. (2014). Unprepared law firms vulnerable to hackers.
Retrieved from
– http://triblive.com/news/allegheny/6721544-74/lawfirms-information#axzz3Ji9kuMrl
• Ezekiel, A. W. (2013). Hackers, spies, and stolen secrets:
protecting law firms from data theft.
Harvard Journal of Law & Technology, 26(2), 649-668.
• Finkel, E. (2010, 11). CYBER SPACE UNDER SIEGE. ABA Journal,
96, 39-43. Retrieved
– From
http://search.proquest.com/docview/805121605?acco
untid=10141
• Google Images
• McNerney, M., & Papadopoulos, E. (2013). HACKER'S DELIGHT:
LAW FIRM RISK AND
– LIABILITY IN THE CYBER AGE. American University Law
Review, 62(5), 1243-1269. Retrieved from
http://search.proquest.com/docview/1443695077?acc
ountid=10141
• The White House (2015). FACT SHEET: Cyber Threat Intelligence
Integration Center.
– Retrieved from https://www.whitehouse.gov/the-pressoffice/2015/02/25/fact-sheet-cyber-threat-intelligenceintegration-center
CONTACT INFORMATION
Noopur Kore – noopur.kore@cgu.edu
Allan Mugambi – allan.mugambi@cgu.edu