Law Practice Today | April 2013 | Disaster Prep: Special Issue
April 2013 | Disaster Prep: Special Issue
lpt logo


The Cyber Challenge Facing the Legal Profession

By Don Byrne and Joseph Booth

The good news is the bad news. Law firms large and small have access to a stunning array of innovative tools and resources to help reduce costs and increase productivity. Email, social media, web technology, and global video conferencing empower law firms of all sizes. Cloud computing and mobile applications enable even small firms to store and access their information from anywhere in the world.

At the same time, this incredible increase of information technology has given rise to a new brand of cyber-criminal, and their numbers are growing. They range from lone actors to nations determined to steal sensitive information. Everything is fair game, from intellectual property to personal financial information. Typical of these intrusions are the denial of service attacks which have recently been used to disrupt internet access and interfere with client communication.

Such attacks can have a catastrophic impact on reputation, ruining client trust and confidence. One recent report cited by U.S. Representative Chris Collins (R-NY) claims that nearly 60 percent of small businesses will close within six months of a cyber-attack. Leon Panetta’s warning that the U.S. is facing a cyber-Pearl Harbor was no surprise to information technology professionals at many law firms and enforcement agencies. They’ve been dealing with attacks for years.

A similar warning was echoed in February by ABA president Laurel Bellows, who, in an interview with the ABA Journal said, “Cyber-attacks are happening thousands of times a day, and some of the most vulnerable targets are law firms, which hold so much information of their clients and serve as ‘gates’ to their clients.”

Industry studies support Bellows’ comments. A report by the Ponemon Institute documented an 81 percent increase in the number of cyber-attacks between 2010 and 2011. In a 2012 study sponsored by the Zurich Financial Service Group, 86 percent of the respondents believed that such malicious attacks pose a moderate to severe threat to their organization. The survey, A New Era in Information Security and Cyber Liability Risk Management, found that only 68.8 percent of responding firms admitted to having any type of IT disaster plan in place and less than a third had cyber liability insurance.

Hackers are increasing the intensity and persistence of their attacks, while broadening their targets. Smaller law firms in particular, have become cyber criminal’s latest victims. Robert Baumgarten, CIO at Shulman, Rogers, Gandal, Pordy and Ecker in Potomac, MD., recently characterized this change in focus as having “shifted from the server rooms and data centers to the space occupied between the desktop and the chair—to the attorneys, paralegals and administrative assistants.” Unfortunately, the resources available to smaller firms don’t match the challenge facing them, as the number and sophistication of threats increase. An obvious solution to this challenge is to outsource some of the responsibility to organizations with the training and resources to keep up with the ever-changing array of threats. However, surprisingly few firms are adopting this strategy. The Ponemon Institute found that 79 percent of businesses across all industries stated that they would, “rely on their own internal information technology department to assess the level of cyber risk exposure.” 

 What Are They After?

The range and scope of material that cyber criminals target covers every aspect of legal practice. From lists of confidential witnesses to patent applications, seemingly any type of information is of interest. Some organized crime groups attempt to hack into not only law offices, but court systems and even the U.S. Marshals Service. Other groups focus on financial information, especially M&A documents that might provide a negotiating edge or insight into how the financial markets might react to a deal. Any type of intellectual property is high on the list of targeted material, including the results of drug studies, client correspondence, or information linked to possible litigation claims.  

The Way In

While some of cyber crimes’ success can be attributed to inventiveness, in many cases the way inside is paved by employees who exercise poor judgment. One technique, known as social engineering, seeks to manipulate an employee into either granting access to an internal network or disclosing a seemingly innocuous bit of information. Clever criminals can later use this tidbit to find a way past network security and to confidential information. Another technique known as spear phishing relies on authentic looking emails to trick users into opening attachments or following hyperlinks to seemingly legitimate websites. Once opened, these files or links secretly install malicious software onto a computer or storage device such as a memory stick. As other computers connect to these storage devices, the virus is inadvertently passed. Sometimes these viruses are embedded inside downloads of music files or computer games, bypassing normal safeguards.

This latter form of cyber-spying is especially successful when employees naively blur the distinction between business and personal computing. For example, individuals who diligently follow company security polices while at work, may let their children surf the web on their PCs while at home, or connect to storage systems that haven’t been properly vetted.  

BYOD, the Cloud and MDM

Clients, witnesses, courts, and fellow attorneys now demand near instantaneous communications and use technologies unheard of a scant few years ago. Finding a balance between protecting the integrity of the law firm’s network and meeting the demand for wide-scale connectivity requires finesse and diligence.

The proliferation of user-supplied smart phones, tablet computers, and laptops further complicate the issue. Known as the Bring Your Own Device (BYOD) challenge, IT departments must now find a way to maintain security while allowing a variety of digital appliances of unknown configuration, loaded with software from questionable sources, to access and use online corporate assets in an unrestricted manner, from multiple locations. These same devices carried by contractors, guests, and temporary employees further complicate the situation.

A new area of information security has emerged that attempts to bring order, structure, and predictability to the BYOD threat. Mobile Device Management (MDM) is the latest sub-specialty discipline that already over-taxed IT departments are expected to understand and put into practice.

Smart devices aren’t the only new frontier of challenge. As new software development tools come into common use, firms may unknowingly gather and store information about visitor behavior on their websites. For example, some websites automatically collect information that many would view as private. Examples include your identity, how long you linger on each webpage, what you read, actions you take, and where you navigate to afterward leaving the website. Would anyone find it advantageous to hack into a weblog and review this information about clients or other visitors to your website?

Then there is the movement to the cloud, an amorphous computing environment which is out of the IT department’s direct control. At any time and without prior notice, critical data may be moved from secure servers to locations in other countries where the rules and controls governing access maybe lax or virtually non-existent.

The Way Forward

So what should be done?  A cyber security plan can be adopted and implemented rather easily.  According to the FCC, every business that uses the internet is responsible for creating a culture of security that will enhance business and consumer confidence. The FCC website includes Small Biz Cyber Planner 2.0, which is a 10-step program to greater protection. This resource is a valuable reference that should be periodically consulted, especially by small firms that may lack cyber-security trained IT staff.

Policies govern network access and use. But how often are these policies reviewed and updated? The changing landscape of cyber crime demands constant vigilance and frequent vulnerability assessments. While this level of attention to security can be expensive, the alternative can be disastrous.

Setting up secure networks protected by firewalls and other technological tools is a necessary first step. But the solution to cybercrime will not come from technology alone. Ultimately, security is a management challenge that requires a mix of prevention, mitigation, and quick response to malicious intrusions. Better education of employees, business partners, and clients can help reduce the number and scope of the risk. However, when it comes to cyber security there are no safe harbors, just temporary mooring sites.

Law Practice Today on Facebook

About the Authors

Don Byrne is president and CEO of Metrix 411, a web-based measurement and analytics business.
Joseph Booth is the executive director of the Stephenson Disaster Management Institute at Louisiana State University, which seeks to improve disaster response management.

Download ArticleDownload Article | Table of Contents

Gavel & Gown Sosftware - Amicus Attorney



Don't Run Your Office Without It: The Guide to Essential Law Firm Policies
LPM members save $90
April 18, 2013


Think Digital: Delivering Legal Services with Technology
May 7, 2013


iPad for Litigators
LPM members save $100 
May 23, 2013

Locked Down: Information Security for Lawyers Cloud Computing for Lawyers Partner Departures and Lateral Moves: A Legal and Ethical Guide
The Digital Edge: Lawyers and Technology

66th Edition - Big Data for Lawyers

By Jim Calloway and Sharon Nelson

Legal Technology Today Podcast Network

Law Practice Magazine, March/April IssueLaw Practice is the leading magazine on the business of practicing law. Published six times per year, it offers insightful advice and practical tips on marketing, management, technology and finance.

Current Issue
Subscribe now for only $64
$50 for ABA members (includes membership)

Download the New Law Practice Mobile App Today!
Download the Mobile App



Micah U Buchdahl, HTMLawyers, Inc


Andrea Malone, White and Williams LLP


John D. Bowers, Fox Rothschild LLP

Barbara H. Brown, Meagher & Geer PLLP

Margaret M. DiBianca, Young Conaway Stargatt & Taylor, LLP

Rodney Dowell, Lawyers Concerned for Lawyers, Inc.

Nicholas Gaffney, Infinite Public Relations, LLC

Nancy L Gimbol, Eastburn & Gray

Richard W Goldstein, Goldstein Patent Law

Katy M. Goshtasbi, Puris Image

Elizabeth Henslee

William D Henslee, Florida A&M Univ College of Law

George E. Leloudis, Woods Rogers PLC

Allison C. Shields, Legal Ease Consulting, Inc.

Gregory H. Siskind, Siskind Susser, P.C.

Ben Stevens, The Stevens Firm, P.A. Family Law Center

Send us your feedback here.