Hackers turn up the heat on the legal sector

SECURING THE LAW FIRM

25th January 2024

Hackers turn up the heat on the legal sector

 

This year has seen a slew of high-profile attacks around the world: what can we learn?

The cyber threat to the legal sector has increased so much that the UK’s NCSC this year released an updated version of its 2018 report on the cyber threat to law firms. The update follows a string of law firm data breaches reported in the past 12 months, most of them outside the UK, but all with lessons for everyone.

 

Firms including Kirkland & Ellis, K&L Gates and Proskauer Rose lost data through breaches, while Gibson Dunn & Crutcher and Loeb & Loeb also reported system breaches.

 

Proskauer Rose was hacked via a third-party Cloud vendor, while an attack on Cave Leighton Paisner exposed the personal data of more than 50,000 current and former employees of food company Mondelēz International – illustrating the extent to which law firms represent a key third-party threat to the world’s largest firms, including systemically important entities such as banks.

 

And an attack on Cadwalader, Wickersham & Taft, the oldest continuously operating legal practice in the United States, put the personal information of over 90,000 clients at risk.

 

The increasing reports of data breaches across several large law firms have come alongside increased attention from states’ national security agencies, with both the U.K.’s GCHQ and France’s ANSSI recently releasing reports of cyber-attackers targeting the legal sector.

 

As well as the obvious damage to their clients and to their reputations, data and systems breaches also expose law firms to litigation themselves.

 

At least five class action suits have been filed against law firms mentioned above, with plaintiffs claiming variously that they didn’t sufficiently guard against the possibility of cyberattacks or that they failed to make timely disclosures to the ultimate owners of the data.

 

So, are law firms learning lessons? Well, there are concerning signs that they are not.

 

First, as the class action suits suggest, firms seem not to be taking sufficient precautions and also dragging their feet on disclosure. When they do disclose they often refuse to give any details of the attacks.

 

And in at least one case, a firm is even refusing to disclose to a regulator the extent to which a breach has harmed its clients. The Securities & Exchange Commission subpoenaed Covington in January over a 2020 hack that may have resulted in client data being stolen. The firm claims client confidentiality stops it from revealing the facts and 83 US law firms are backing it in its fight.

 

None of this seems consistent with the idea that information sharing is key to defeating the hackers. And secrecy only adds to the impression that not enough is being done at some firms to prevent these kinds of data loss.

 

It’s not just the US. Recently Australian commercial law firm HWL Ebsworth has fallen victim to a ransomware attack, with Russian-linked hackers claiming to have obtained 4TB of client information and employee data, including employee CVs, IDs, financial reports, accounting data, client documentation, credit card information, and a complete network map.

 

So, what can law firms do better? What are the key challenges? And where are the key problems?

 

Securing the Law Firm will look at the latest thinking around legal cybersecurity. As well as presentations from some of the world’s largest firms we will also be asking how small and medium-sized organisations can keep up with cybersecurity best practice in the sector.

  • Re-thinking email and messaging: is there a better way?

    • From secure web gateways to clever tools designed to let employees flag suspicious emails, technologists have tried to solve the problem of email and message-delivered malware. And they’ve failed.
    • This is still the number one vector for the cyber attacks that cause real damage.
    • Is there another way?
  • Streamlining tools and information: focus on insight

    • To solve their problems cybersecurity teams are told to add ever more tools to their stacks, and ingest ever more internal and external data.
    • And then they are told to somehow aggregate all of that complexity to detect cyberattacks, determine risk metrics and all the rest of it.
    • So how to change the paradigm?
  • Solutions for CISO burnout

    • The number of security professionals on LinkedIn who’ve left without another job to go to is astonishing given the shortage of cyber-talent.
    • Are CISOs being fired for breaches?
    • Are they quitting companies who’ve lied about their commitment to security?
    • How can firms solve this problem?

     

  • Re-engineering the SOC: the problem of alert overload

    • One specific example of staff overload is the SOC.
    • There are debates over the value of network traffic analysis and other data.
    • Meanwhile SOC teams are flooded with false positives and even ‘smart’ solutions do not alter this calculus very much.
    • Is the answer to outsource or evolve?
  • Fixing Cloud configuration

    • Cloud security is a multi-dimensional problem.
    • But underneath all the technology and complexity, once again it is human error that is likely to cause the most material losses.
    • For large firms with complex hybrid and multicloud environments, this problem is compounded.
    • So, what are the most common errors and how can they be avoided?
  • From awareness to behaviour

    • There’s too much talk of awareness in cybersecurity and not enough talk about actually changing behaviour.
    • There’s too little talk of personal accountability and disciplinary enforcement of security policies.
    • These are controversial statements - but should they be?
    • Isn’t part of the paradigm shift we need a fundamental change in employee responsibility?

Who attends

Job titles

Security Architect
Information Security Senior Analyst
Head of Solutions Delivery
Head of Information Security
Operations Manager, Cyber
Global Information Governance Manager
IT Security Manager
Cyber Security Analyst
Cyber Security Technologist
IT Manager
Info Sec Governance Risk & Compliance Manager
Head of Information Technology
Senior Information Security Analyst
Head of IT Operations
Head of Cyber Security
Chief Information Security Officer
IT Operations and Security Manager
Security Operations Engineer
Head of IT & Operations
Head of IT
CISO
Director of IT
Head of GRC
Cyber GRC Manager
Head of Cyber Security
Security Analyst
Information Security Analyst
IT Risk and Disaster Recovery Manager
Lead Enterprise Architect
Information Security Manager
Information Security Governance Manager
Head of Technology and Security
Head of IT
Lead Cybersecurity Engineer
Information Security Analyst
Head of Information Technology
Security Operations Manager
Cyber Security Manager
Information Security Manager
Senior Business Continuity & Resilience Specialist
Lead End User solutions engineer
Security Architect
Head of Information Security
Chief Information Security Officer
Information Security Officer
IT Manager
Information Security Analyst
Information Security Officer
Information Security Manager
IT Admin and Compliance Officer
Information Security Manager
Director of IT
Senior Manager Business Assurance
Information Security Architect
Head of IT and Information Security Officer
IT Manager
Head of Information Security
Director of IT
IT Director
Director of Information Security
Head of IT
Customer Support Analyst
Information Governance
IT Director
Cyber Security Specialist
Head of IT
Information Security Analyst
Head of IT Infrastructure and Architecture
Chief Information Officer
IT Manager
Director of Risk and Compliance
Cyber Security Analyst
IT and Cyber Security Administrator
Global Info Sec GRC Manager
Head of Information Security
Information Security Manager
Cyber Consulting Director
Director, Risk & Compliance
Cyber Security Manager
Compliance Consultant
Information Security Officer
Cyber Security Engineer
Senior Manager, Platforms and Infrastructure Design
Chief Information Officer
Information Security Officer
Information Security Manager
Unified Communications and Collaboration Services
CTO
Head of Information Security
Data Privacy and Regulatory Compliance Lawyer
Information Security Operations Analyst
Information Assurance Officer
Senior IT Manager
Information Security Manager
Information Security Specialist
SecOps Manager
Risk, Culture and Engagement Lead Specialist
Associate Director - Information Security
Applications Support Specialist
CISO - Corporate Functions
Lead End User Computing Solutions Engineer
IT Manager

Organisations

Walkers Global
Shakespeare Martineau
Gateley Plc
Slaughter and May
Clyde & Co LLP
HFW
The Law Society
HFW
Macfarlanes LLP
Gill Jennings & Every LLP
Shakespeare Martineau
King & Wood Mallesons (KWM)
Horwich Farrelly
Addleshaw Goddard LLP
HFW
Withersworldwide LLP
EIP Europe LLP
Travers Smith LLP
Cains
Beale & Co
Walkers Global
CMS
Dentons UKMEA LLP
Mishcon de Reya LLP
DLA Piper LLP
Taylor Wessing LLP
Travers Smith LLP
Norton Rose Fulbright LLP
Shakespeare Martineau
Wedlake Bell LLP
RPC LLP
Howard Kennedy LLP
RPC LLP
Mishcon de Reya LLP
Forsters LLP
Lightfoots LLP
Shakespeare Martineau
Foot Anstey LLP
Burges Salmon LLP
Clifford Chance LLP
Clifford Chance LLP
Ashurst LLP
Freeths LLP
Clyde & Co LLP
Ashurst LLP
Colman Coyle LLP
Joseph Hage Aaronson
Taylor Wessing LLP
Gateley Plc
Birketts LLP
Ward Hadaway
IBB Law
Brodies LLP
Clifford Chance LLP
Bates Wells LLP
Martin Tolhurst Solicitors
Addleshaw Goddard LLP
Bevan Brittan LLP
Stewarts Law LLP
Morae Global
Wiggin LLP
Birkett Long LLP
Penningtons Manches Cooper LLP
Boult Wade Tennant
Government Legal Department
Russell-Cooke LLP
Shakespeare Martineau
Blake Morgan LLP
Horwich Farrelly
Cadwalader Wickersham & Taft LLP
Dechert LLP
Addleshaw Goddard LLP
Martin Tolhurst Solicitors
Allen & Overy LLP
Mishcon de Reya LLP
Macfarlanes LLP
Mishcon de Reya LLP
Wedlake Bell LLP
RPC LLP
Coole Bevis LLP
Shepherd and Wedderburn
HFW
Hogan Lovells International LLP
Buckles Solicitors LLP
Gowling WLG
Ashurst LLP
Clifford Chance LLP
Hogan Lovells International LLP
Bird & Bird LLP
Dechert LLP
Shakespeare Martineau
Trowers & Hamlins
The Honourable Society of Lincoln's Inn
HFW
Travers Smith LLP
Farrer & Co LLP
DLA Piper LLP
Morae Global
Orrick Herrington & Sutcliffe LLP
Credit Suisse
Clifford Chance LLP
4 New Square

Industries

Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Banking
Legal
Barristers Chambers


Venue

Park Plaza Victoria, London

vpp

Location:
Park Plaza Victoria
239 Vauxhall Bridge Road, London, UK, SW1V 1EQ
Telephone: 0333 400 6140

Directions:
Please click here