Don’t Ignore Law Firms: Why Cybersecurity in the Legal Sector Matters

Vendor security is becoming a focal point of risk management for many organizations. In many ways, this trend started with the Target breach from 2013, which highlighted the extensive financial and reputational impact of a third party security breach. Gartner estimates that by 2019, the need for transparency into operational and security activities within a vendor's value network will drive demand for vendor security by 30%.

Despite this trend, organizations may not be doing enough to manage the cybersecurity of all their critical vendors. Law firms, in particular, are one of the most widely used third parties, yet the Legal sector may be getting overlooked in vendor security discussions. A recent study by Amárach Research found that three out of 10 law firms in Ireland, for example, have suffered a security breach in the past 12 months, with 38 percent of the country's top 20 law firms being hit.

Law Firms are Critical Third Parties

As part of the fourth annual Industry Index Report, Bitsight researchers studied over 20,000 organizations across six industries: Finance, Healthcare, Retail, Government, and Energy/Utilities, and Legal. The study explored how the cybersecurity posture of the Legal sector has changed over time and whether its security performance should raise concerns for vendor management and information security teams.

Out of more than 1,200 companies examined from the Legal sector, researchers discovered the second highest percentage of companies with a security rating of 700 or higher, only trailing Finance and in-line with Retail. They also found, however, that more than 60 percent of organizations examined from the Legal sector were exposed to DROWN, a major SSL/TLS vulnerability.

Compared to other industries examined, Bitsight found that companies in the Legal sector actually have high security ratings and relatively low rates of vulnerabilities that could lead to man-in-the-middle attacks. Despite the findings, the industry remains a key target for cyber criminals. In fact, attacks in this industry have already taken place on some of the largest law firms representing numerous Wall Street banks and Fortune 500 companies. These firms typically have access to a company's intellectual property, financial statements, strategic plans, and even private employee information, increasing the potential impact of a major breach on a law firm.

Understanding the cybersecurity posture of critical third parties has become paramount to today’s cybersecurity programs. Our latest Industry Index Report provides recommendations for successful approaches to common data security challenges in the legal sector and beyond. Download the report now to see how you can improve your organization’s cybersecurity today.