Bloomberg News reported last year that 80% of the top 100 law firms had some sort of cyber breach. As those firms have grappled with the task of dealing with those incidents, the rest of the U.S. law firms have been left to wonder – what are the criminals after and could this affect us?
The natural answer is information. Company data. Client data. Employee data. Law firms are full of all the good data. But this answer then leads to the most common response from most firms – we don’t have anything information worth stealing. Which, as Brian Hocht of the Cyber Advocate recently pointed out, is just another way of saying “I don’t believe we’re a target.”
If this is true, then we are collectively assuming that the criminals attacking your data know what they’re looking for. Or put another way, that criminals are looking for something specific.
Increasing evidence points to a shifting strategy on the part of cyber criminals towards the collection of more complex data that they do not, in fact, know the value of yet. On March 29, 2016, the Wall Street Journal reported that some of New York’s most prestigious law firms, including Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, were breached in 2015. These firms represent everyone from Wall Street banks to fortune 500 companies and certainly posses a very high volume of valuable and sensitive data.
But no one is really sure what they took or why. Authorities suspect insider trading, however, there appears to be no clear evidence that this was the case. The Wall Street Journal article points out that “The attacks on law firms appear to show thieves scouring the digital landscape for more sophisticated types of information. Law firms are attractive targets because they hold trade secrets and other sensitive information about corporate clients, including details about undisclosed mergers and acquisitions that could be stolen for insider trading.”
But one key point this beach articulates is that cyber criminals may not know what information they may be able to attain and what it’s value may be. So they look for soft targets and see what they can find. These are not Zero-Day hackers looking for a quick strike. They are more sophisticated, patient and willing to play the ‘long game’ to see if they can strike real gold.
As the Wall Street Journal article points out “Hackers often steal large amounts of information indiscriminately and then analyze it later to see how it could be useful”.
So for any firm who believes they’re not a target, they need to know that simply being a law firm now makes you a target.