Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

How Law Firms Can Help Ensure Data Security Amid Growing Client Concerns

When one thinks of enticing and lucrative hacker targets, law firms likely aren't the first to come to mind. In fact, they may not even make the list.

But starting more than five years ago, federal authorities began specifically warning legal entities about their viability - and vulnerability - to hacker intrusions. Law firms typically are in possession of a stockpile of sensitive data relating to their clients. And depending on the type of firm, those clients may be businesses that generate international interest around matters like acquisitions and patents.

Despite the warnings, the legal industry is still lagging when it comes to data protection. As a result, firms facing increasing pressure to button up their cybersecurity presence - not only from authorities, but now also from their clients.

Much like any third-party relationship, law firms sign agreements with their corporate clients. And now those clients, including Wall Street companies, are demanding law firms undertake security measures and show proof of their ongoing security and monitoring, according to a recent article in The New York Times.

Wall Street banks are pressing outside law firms to demonstrate that their computer systems are employing top-tier technologies to detect and deter attacks from hackers bent on getting their hands on corporate secrets either for their own use or sale to others, said people briefed on the matter who spoke on the condition of anonymity. Some financial institutions are asking law firms to fill out lengthy 60-page questionnaires detailing their cybersecurity measures, while others are doing on-site inspections.


So what can law firms do to both protect the sensitive information in their control and ensure their data, network and application security is up to snuff in the eyes of their clients? Here are seven suggestions:

1. Conduct a Risk Assessment

Your clients are going to ask what your security posture looks like, so it makes sense to perform a thorough review of your environment to identify gaps where your confidential data, including information contained on mobile devices, could be at risk for exposure.

2. Deploy Advanced Security Defenses

Targeted, socially engineered emails, typically known as spear phishes, are a common ruse used by criminals to establish a foothold on law firm networks. To combat these attacks, consider security gateways specifically designed to protect your business in real time from threats like malware, zero-day vulnerabilities and data loss.

3. Secure Your Apps and Databases

Your most valuable data lies in your databases. Companies traditionally fail to focus enough attention on the application and database layers. Ensure these entryways to and repositories of critical data are locked down from an access and encryption perspective, are regularly scanned for vulnerabilities and misconfigurations, and are properly patched.

4. Have a Breach Response Plan in Place

Face it, breaches are going to happen. The key to mitigating the damage is detecting an intrusion and responding quickly. This requires having an actionable incident readiness and response plan in place (and many large corporate clients are asking for these plans specifically). Or consider proactive breach detection investigations, which are designed to identify if your firm has been victimized by a breach or if it suspects an attack already is happening.

5. Consider Help From a Managed Security Services Provider

Your core competency is representing your clients - not securing your infrastructure. Our 2014 Security Pressures Report, which surveyed more than 800 IT professionals, showcased that most organizations are reeling from budget constraints, skills shortages and time limitations when it comes to security. A managed security services provider can provide the help you need, while allowing you to concentrate on your business.

6. Establish or Improve Your Security Awareness Program

This blog just mentioned that criminals often rely on social engineering to trick users into downloading attachments or following links contained in an email. As such, train your employees to be on the lookout for fraudulent communications that might look legitimate, but aren't. They also should be mindful of other risks, such as transferring sensitive client data onto easy-to-lose memory sticks or sending emails containing confidential files to computers outside of the corporate firewall.

7. Reference Industry Groups

While admittedly lagging other industries, the legal community has a number of trade groups that are taking data security more seriously. For example, the International Legal Technology Association recently formed LegalSEC, an initiative whose primary goal is to introduce the legal field to the ISO 27000 series of standards. The American Bar Association also has provided resources.

Dan Kaplan is manager of online content at Trustwave.

Latest Trustwave Blogs

The Two Sides of ChatGPT: Helping MDR Detect Blind Spots While Bolstering the Phishing Threat

ChatGPT is proving to be something of a double-edged sword when it comes to cybersecurity.

Read More

Trustwave MailMarshal Email Security Protects Against WinRAR Vulnerability CVE-2023-38831

The importance of email security cannot be understated. Proof of this can be seen in some recent research conducted by the Trustwave SpiderLabs team around our email security product MailMarshal.

Read More

Bah, Humbug! Grinchbots and Freebie Bots Attempt to Ruin Holiday Shopping for Consumers and Retailers

If the holiday classic “How the Grinch Stole Christmas” was remade in 2023, the mean green guy might be played by an Internet bot.

Read More