If you’re not making cybersecurity a priority at your firm, I advise doing it now, considering what happened to 500 of London’s largest law firms. According to a just-released white paper by the cybersecurity firm RepKnight:

• 1.16 million email addresses from these firms were found on the dark web (anonymously hosted websites that are often used for illegal activities).
  
• 80% of those addresses came with passwords.
  

The report said the exposure makes these firms more vulnerable to cyber attacks such as:

• Credential stuffing where bots repeatedly try the same username and password until it gains access to an account.
• Spear phishing where hackers send an email from what appears to be a trustworthy source to access an account and install malware.

According to the January 23 issue of Infosecurity Magazine, the vast majority of these credentials were taken from third-party breaches such as the one at LinkedIn where, in 2012, it was reported that a hacker stole 6.5 million passwords. Later, it was reported that an additional 117 million were stolen.1

This situation gives me pause.

What U.S. law firm credentials can be found on the dark web today? I think law firms should just assume that their information may be compromised, then do whatever it takes to mitigate their risk of a breach. This begins by:

• Not using your law firm email address to log into third-party websites. Create a personal email address to log into websites like LinkedIn, Dropbox or Facebook.
• Not using the same passwords over and over. There’s an abundance of free password managers that will generate complex passwords for each of your accounts, which will prevent hacking. You only need to remember a single master password.
• Carefully analyzing emails before you click on any link or attachment. It’s easy for hackers to create emails that look legitimate. It only takes a few minutes for them to find out your firm’s location and specialty, then send you an email offering a free ticket to a regional conference, for instance. Unfortunately, clicking on it could release malware that can cripple your firm and breach your clients’ confidentiality.
• Ignoring anyone who reaches out to you by chat, email or phone offering IT support. Remember that information technology experts have plenty of work without seeking it out. In fact, it’s better to ease some of the responsibility of IT support by working with a trusted partner to protect your files.
• Encrypting your emails and files. It’s alarming that, according to the 2017 ABA Legal Technology Survey Report, most law firms with fewer than 10 attorneys aren’t bothering with encryption. So if hackers breach their data, they can read all of their confidential information. Law firms should be using secure client portals that encrypt documents and emails so you can exchange them with clients securely.
• Taking advantage of practice management software with security that would be impossible for small law firms to attain on their own. This includes third-party security compliance and certifications, like SOC2, that are used by the world’s leading organizations, as well as multiple servers that have:
• Discrete locations nationwide
• 24/7 physical and cyber protection
• Mirroring so that your data is stored multiple places – if something happens to one server, you’ll have your information on another.

In the unfortunate event that a virus destroys or seizes the files on your computers, the impact would be minimal because you’d have all your files securely saved in the practice management solution.

Realize that without the proper measures, it’s all too easy for hackers to obtain one of the keys to the system that contains your client data and everything that keeps your law firm operating. By proactively taking these steps, you’re essentially changing the locks, and protecting your firm and your clients.

Francheschi-Bicchierai, Lorenzo. Another Day, Another Hack: 117 LinkedIn Emails and Passwords. Motherboard/VICE, May 18, 2016

***

Amy Larson is a Director in Small Law Firm Customer Marketing and Firm Central at Thomson Reuters. She has over 17 years of experience in technology marketing with extensive focus on learning how technology can meet the needs of attorneys. Amy has been involved in numerous product launches throughout her tenure, public relations efforts, interviewing customers and telling their stories, and often writes and distributes information on legal practice management.