BitSight Insights

Don’t Ignore Law Firms: Why Cybersecurity in the Legal Sector Matters

Joel Alcon | December 20, 2016

Vendor security is becoming a focal point of risk management for many organizations. In many ways, this trend started with the Target breach from 2013, which highlighted the extensive financial and reputational impact of a third party security breach. Gartner estimates that by 2019, the need for transparency into operational and security activities within a vendor's value network will drive demand for vendor security by 30%.

Despite this trend, organizations may not bedoing enough to manage the cybersecurity of all their critical vendors. Law firms, in particular, are one of the most widely used third parties, yet the Legal sector may be getting overlooked in vendor security discussions. A recent study by Amárach Research found that three out of 10 law firms in Ireland, for example, have suffered a security breach in the past 12 months, with 38 percent of the country's top 20 law firms being hit.

Exploring Data Security in the Legal SectorLaw Firms are Critical Third Parties
As part of the fourth annual Industry Index Report, BitSight researchers studied over 20,000 organizations across six industries: Finance, Healthcare, Retail, Government, and Energy/Utilities, and Legal. The study explored how the cybersecurity posture of the Legal sector has changed over time and whether its security performance should raise concerns for vendor management and information security teams.

Out of more than 1,200 companies examined from the Legal sector, researchers discovered the second highest percentage of companies with a security rating of 700 or higher, only trailing Finance and in-line with Retail. They also found, however, that more than 60 percent of organizations examined from the Legal sector were exposed to DROWN, a major SSL/TLS vulnerability.


Compared to other industries examined, BitSight found that companies in the Legal sector actually have high security ratings and relatively low rates of vulnerabilities that could lead to man-in-the-middle attacks. Despite the findings, the industry remains a key target for cyber criminals. In fact, attacks in this industry have already taken place on some of the largest law firms representing numerous Wall Street banks and Fortune 500 companies. These firms typically have access to a company's intellectual property, financial statements, strategic plans, and even private employee information, increasing the potential impact of a major breach on a law firm.

rating-increase-plot.jpgUnderstanding the cybersecurity posture of critical third parties has become paramount to today’s cybersecurity programs. Our latest Industry Index Report provides recommendations for successful approaches to common data security challenges in the legal sector and beyond. Download the report now to see how you can improve your organization’s cybersecurity today. 

Suggested Posts

Data Insights on the BlueKeep Vulnerability

On May 14th, Microsoft issued a warning about the BlueKeep vulnerability (CVE-2019-0708) affecting Remote Desktop Services Protocol (RDP), a component common in most versions of Microsoft Windows that allows remote access to its graphical...


Cybersecurity in Europe is Improving: Thank You GDPR?

After years of debate over whether to impose new cybersecurity regulations on companies,  General Data Protection Regulation (GDPR) laws went into effect in Europe in May 2018. Already we’ve seen several data breach victims ordered to pay...


Security Ratings of U.S. Federal Agencies & Government Contractors

The federal government relies on tens of thousands of contractors and subcontractors — often referred to as the federal “supply chain” — to provide critical services, hold or maintain sensitive data, deliver technology, and perform key...


Subscribe to get security news and updates in your inbox.