Don’t Ignore Law Firms: Why Cybersecurity in the Legal Sector Matters

Joel Alcon | December 20, 2016

Vendor security is becoming a focal point of risk management for many organizations. In many ways, this trend started with the Target breach from 2013, which highlighted the extensive financial and reputational impact of a third party security breach. Gartner estimates that by 2019, the need for transparency into operational and security activities within a vendor's value network will drive demand for vendor security by 30%.

Despite this trend, organizations may not bedoing enough to manage the cybersecurity of all their critical vendors. Law firms, in particular, are one of the most widely used third parties, yet the Legal sector may be getting overlooked in vendor security discussions. A recent study by Amárach Research found that three out of 10 law firms in Ireland, for example, have suffered a security breach in the past 12 months, with 38 percent of the country's top 20 law firms being hit.

Exploring Data Security in the Legal SectorLaw Firms are Critical Third Parties
As part of the fourth annual Industry Index Report, BitSight researchers studied over 20,000 organizations across six industries: Finance, Healthcare, Retail, Government, and Energy/Utilities, and Legal. The study explored how the cybersecurity posture of the Legal sector has changed over time and whether its security performance should raise concerns for vendor management and information security teams.

Out of more than 1,200 companies examined from the Legal sector, researchers discovered the second highest percentage of companies with a security rating of 700 or higher, only trailing Finance and in-line with Retail. They also found, however, that more than 60 percent of organizations examined from the Legal sector were exposed to DROWN, a major SSL/TLS vulnerability.


Compared to other industries examined, BitSight found that companies in the Legal sector actually have high security ratings and relatively low rates of vulnerabilities that could lead to man-in-the-middle attacks. Despite the findings, the industry remains a key target for cyber criminals. In fact, attacks in this industry have already taken place on some of the largest law firms representing numerous Wall Street banks and Fortune 500 companies. These firms typically have access to a company's intellectual property, financial statements, strategic plans, and even private employee information, increasing the potential impact of a major breach on a law firm.

rating-increase-plot.jpgUnderstanding the cybersecurity posture of critical third parties has become paramount to today’s cybersecurity programs. Our latest Industry Index Report provides recommendations for successful approaches to common data security challenges in the legal sector and beyond. Download the report now to see how you can improve your organization’s cybersecurity today. 

Suggested Posts

What Companies Using Cloud Services Need To Know About Their Risk Responsibilities

Cloud computing is not new to the cyber world; it’s here to stay. Web services are common in our everyday lives and workplaces, with things like Facebook, Salesforce, JIRA, Adobe, and GSuite all falling into the cloud-based category. But...


Joint Effort with Microsoft to Disrupt Massive Criminal Botnet Necurs

Since 2017 BitSight has been working together with Microsoft’s Digital Crimes Unit (DCU) to understand the inner workings of the Necurs malware, its botnets and command and control infrastructure in order to take disruptive action against...


Forecasting and Advanced Analytics: Building a Solid Security Strategy For 2020

2020 is not only the beginning of a new year, but the start of a new decade, and with it comes the dawn of a new era for the digital world. We’re now in the midst of the once far-off, “futuristic” time periods old books and movies used to...


Subscribe to get security news and updates in your inbox.