The good news: the legal sector scored second-best in the latest security ratings report by BitSight, just ahead of retail, and behind the formidable financial industry.
The bad news: More than half of law firms are vulnerable to a known attack called DROWN that breaks encryption and exposes communication and information in Web and email servers and VPNs, and a large percentage of law firms scored low security-wise.
"Even though as a sector, legal is performing pretty well in security, we wanted to call out that there are poorly performing firms," says Stephen Boyer, co-founder and CTO of BitSight, which provides a credit-score type security rating system for various industries. "The story here is not that legal is performing well. The story is there is risk there and if people [in the sector] don't manage that, it could be catastrophic."
On a 250 (lowest) to 900 (highest) security rating scale, finance scored 703; legal, 687; retail, 685; healthcare, 668; energy/utilities, 667; and government, 657. Legal actually dropped two points from last year's rating of 690.
BitSight maps organizations' online servers and domains, and analyzes potential vulnerabilities, configurations, and publicly disclosed breaches to benchmark security posture. The firm's tools can observe hundreds of thousands of organizations within an industry sector, for example.
For this study, BitSight analyzed 20,153 organizations in finance (8,567), healthcare (4,239), legal (1,269), energy/utilities (2,841), retail (1,900), and government (1,337), and the firm gathered evidence of about 3.6 million malware infections in those industries.
This year's security rating index report drilled down on the legal sector, which had its Stuxnet "moment" with the Panama Papers breach earlier this year. A data breach at Panamanian law firm Mossack Fonseca resulted in the theft of 11.5 million sensitive records from the firm. The International Consortium of Investigative Journalists later released some of the information publicly to expose shell corporations used to evade taxes and other nefarious purposes.
"Panama Papers really woke everyone up ... and [made them wonder] 'What could that mean for us as a law firm?'"
Some 70% of law firms surveyed in the recent Law Firm Cybersecurity Report by ALM Intelligence said they are under pressure from their clients to beef up internal data security, but only about half conduct regular "fire drills" for incident response. The report said firms were confident in their ability to thwart attacks.
"Many firms' confidence in their own cyberattack preparedness seems misguided. Our research indicates that most remain surprisingly unprepared for the threat," said Daniella Isaacson, co-author of the report and ALM Intelligence senior legal analyst, in a statement. "For example, many never test their cybersecurity protocols. This means that on the day of a breach, those firms are using an unproven response plan."
The legal sector long has been considered an obvious lucrative target for cybercrime and cyber espionage, given the confidential information they hold about their corporate, government, and individual clients.
Chinese state actors reportedly were behind the theft of partner emails and information from several major US law firms, according to Fortune. One firm lost seven gigabytes of data in a March 2015 hack, according to Fortune's reporting. The attacks likely were standard cyber espionage for competitive gain, the calling card of China's nation-state hacking machine.
The FBI earlier this year warned of cybercriminals attempting to hack law firms for insider trading operations, yet another wakeup call for firms to crack down on security. "The FBI has seen people trying to attack specific law firms," Boyer says.
Meanwhile, BitSight's study found that the energy/utilities sector's security posture is declining. Some 133 organizations in this industry had ratings of 500 or lower. "This is important to note considering previous studies by BitSight finding that companies with a rating of 500 or lower are nearly five times as likely to experience a breach than those with a 700 or above," the report said.
And some 80% of organizations across all industry sectors in the analysis were vulnerable to two known – and patchable - web server flaws, Logjam and POODLE.
- The 10 Worst Vulnerabilities of The Last 10 Years
- Legal Sector's Threat Intel-Sharing Group Grows
- Law Firms Present Tempting Targets For Attackers
- 'POODLE' Attacks, Kills Off SSL 3.0