It is well known that law firms are particularly enticing targets for hackers, given the nature and amount of sensitive material they tend to hold, such as information on business dealings, confidential processes shared with law firms for evaluation, and upcoming transactions that could affect share prices.
Clients and third parties often share all sorts of confidential information online with law firms on a daily basis. The American Bar Association notes that 62 percent of the respondents to a survey in 2021 used cloud applications such as Dropbox and Google Drive for their law practice, including to exchange confidential information with their clients. Meanwhile, QuickBooks Online and its variants have been the main billing-invoice-payments workhorse cloud applications.
But is this confidential online data secure from the threat of unauthorized access? The risks are great, especially for solo and small firms, which lack the resources of larger firms to withstand the costs of a breach. Just look at two numbers:
- 29 percent. Yes, 29 percent of the law firms in the United States have been breached. When you sit down for coffee with two other attorney friends, know that at least one of you is likely at some point to be hacked!
- $108,000. On average it costs a small or medium-sized business $108,000 to recover and clean up after a breach. Malpractice lawsuits, insurance premiums, lost revenue and clients, damage to brand reputation, penalties, and monetary fraud costs can add up quickly.
The Importance of a Secure Login System
Consider the following real-life incident:
Shannon was a solo family lawyer in Connecticut, beloved by clients for an approach so tenacious they called her “El Toro”; and like a real bull, she charged aggressively forward while forgetting to guard her flank. Believing her practice too small to be targeted, she hardly bothered with online security practices . . . until her case management system was breached and she was forced to notify the authorities, her clients, and all related parties that their data had been compromised. . . . El Toro has now slowly and painfully rebuilt trust and business.
This case should remind every law firm about the importance of securing its login credentials from the hands of hackers.
Notably, recent attacks have become more sophisticated. Multi-factor authentication (MFA) and two-factor authentication (2FA), which secure logins to access confidential data and monetary transactions, have become mainstream targets of attack.
Microsoft has reported that between September 2011 and July 2022, more than 10,000 organizations have been targeted by a large-scale cyber-attack that bypasses MFA. In light of such numbers, law firms need to take extra steps with their current MFA schemes that have become obsolete in the wave of these new attacks.
Underlying Root Cause and the Potency of MFA-Bypass Attacks
In an MFA-bypass attack, a remote hacker or some proxy server (also known as the man-in-middle) intercepts the communication channel between a legitimate user and the authentication system and waits until the user successfully completes the authentication process. The authentication typically includes a password and the “other” multi-factors, such as a one-time passcode sent via SMS (text message) and/or an out-of-band approval sent via a mobile authenticator app. Upon completion of the authentication process, the cybercriminal grabs the authenticated session cookies and “replays” them to gain access. In this way, the attacker does not need to chase your passwords and other MFA in-use. (Click here for a graphic showing an MFA-bypass attack in action.)
While the security community has been screaming “use MFA!,” the hacker community has caught up with this technology, and now we need a way to secure critical online applications with something better than “legacy” MFA protocols.