Back in 2010, before the organisations had ever done so to private corporations, I had written in Harvard Business Review about the possibility that Wikileaks and associated organisations could “reveal your corporate brain.” Soon after, the FBI director made the oft-quoted claim that “there are only two categories of companies: those that have been hacked and those that will be.” Even they are combining to form one group: organisations that have been and will continue to be hacked. From where we stand right now, this is unquestionably true.
What do Volkswagen, Ikea, Jones Lang LaSalle, Citibank, and Caterpillar’s legal divisions all have in common? This summer, the hacktivist group Anonymous took legal action against Russian law firm Rustam Kurmaev and Partners, popularly known as RKP Law, which may have exposed some of their Russian legal work.
With cross-cutting antagonistic goals in a geopolitical climate, law firms are finding themselves to be unique nodes that are being attacked. In the risk community, threat is frequently viewed as a function of capability and intent. It is without a doubt possible for groups to get past the IT security measures in place at law firms. For instance, the hackers that brought down RKP legal said to the International Business Times that it took them a month to break into the systems and that they taunted RKP’s IT personnel by sending emails from their bosses’ accounts each time they were expelled.
This obviously has political ramifications on the other side as well; I recently wrote about Russia punishing a record number of American lawyers, all of whose legal firms are probably in the sights of the Kremlin as well as its hackers. Of course, businesses might suffer collateral damage even if they aren’t the intended targets. It’s important to remember the 2017 Ransomware attack on DLA Piper that paralysed the company’s systems and was purportedly traced to a Ukrainian payroll provider compromised by quickly proliferating Russian malware.
Intention is what’s actually changing. In this instance, the businesses mentioned at the top suffer as a result of Anonymous’ decision to target significant Russian organisations following Russia’s invasion of Ukraine. One of those organisations was a law company that international businesses used for litigation and anti-corruption work—neither of which they would want to see in the public eye.
We’ve witnessed China’s tough response in recent days to a visit from U.S. Speaker of the House Nancy Pelosi to Taiwan, including missile tests near Taiwan and cutting off climate change cooperation. A mutual trade agreement between the United States and Taiwan was just announced this week, which will undoubtedly lead to a great deal of legal work and lobbying on the part of private firms hoping to influence and prepare for such a pact. It is not difficult to envision those law firms helping them, making them more and more desirable targets for Chinese hackers.
The good news is that a lot of law firms are aware of the risk climate they are in and have put measures in place to try and make it harder for hackers to access their systems. Approximately half of the law firms examined have policies in place for data retention, email use, internet use, remote access, and social media, with increasing ratings as firm size grows, according to the American Bar Association’s (ABA) “2021 Legal Technology Survey Report.” Of course, this is in addition to their finding that 35% of legal firms with more than 100 attorneys have at some point experienced a data breach.
But what interests me the most is whether corporate clients can accurately gauge the risk they run when working with particular law firms. The notion that a burglar can enter any residence if they want to badly enough in the digital environment we live in makes traditional cyber evaluations inadequate. In order to determine whether the legal firms you are working with are also likely to be targets, it is essential to fully comprehend their DNA.
It is very challenging to trust any danger or risk assessment without that kind of analysis. This is akin to saying that because all flag airlines adhere to the same security procedures, the danger of terrorism on a flight is comparable across all of them. Actually, it makes a significant difference whether or not enemies desire to do harm, which is obviously dependent on a variety of criteria, such as the country of origin in the case of an aeroplane flight. or, in this instance, the type of work done by a law company. Did you realise, as in-house counsel, that more than a third of your larger law firms have had a breach? Are there any ways for you to tell which of the legal firms you work with are most likely to be targeted from those who aren’t? Are you certain that the higher-risk partners are managing your data in a way that would allow you to minimise the effects of an exploit?
Although traditional methods like media monitoring about the work your external law firms are performing and firmly expressing issues may also be highly effective, technology solutions like Hence can be beneficial in understanding everything about your law companies.