It's (sometimes) who you know

Given the media focus on phishing and ransomware attacks, it’s no surprise that law firms are often focused solely on defending against the kinds of attacks that resulted in the Kirkland & Ellis, K&L Gates,Proskauer Rose and HWLE breaches. And the threats that can give rise to attacks such as these should certainly feature in a law firm’s risk identification and treatment plan. However, a sinister danger that lies closer to home is sometimes overlooked and often harder to address: Insider threats.

Within the context of law firms, the term “insider threats” refers to the potential for compromise within the organisation, specifically those threats associated with employees, contractors, or third-party vendors who misuse their authorised access to sensitive data, systems, or networks, either maliciously or unintentionally.

Insider threats, as we’ll see below, are often hard to manage and if realised as part of an actual attack, can lead to the compromise or exfiltration of confidential client information, intellectual property, or other privileged data, resulting in significant financial, legal, and reputational consequences for the law firm and its clients. Obviously, the consequences associated with a successful insider attack can be extremely serious, for both legal practices and their clients.

So what makes an insider threat?

Insider threats in law firms manifest in various forms. Disgruntled employees seeking revenge, negligent staff members mishandling sensitive data, or malicious insiders driven by financial gain all pose significant risks. The repercussions of insider breaches can be severe, ranging from reputational damage and loss of client trust to regulatory penalties and legal liabilities.

In 2024, the netdocuments company released an analysis of data from the UK Information Commissioner’s Office (which is analogous to Australia’s OAIC). That analysis showed that 60% of law firm data breaches were a result of insider accidental or malicious behaviour. As netdocuments noted in their report:

• 37% of breaches occurred from sharing data with the wrong person.
• 27% occurred from phishing and ransomware attacks.
• 12% occurred from losing data.
• 39% occurred from human error.

The exact percentages vary by report but it’s worth noting that according to the preceding summary, 39% of insider-facilitated breaches were associated with human error, and so may not have been malicious in nature. A report by the Ponemon group backs this observation up: That report notes that most insider events are caused by negligence rather than malice, with the report noting that 56% of insider attacks were due to mistakes such as failing to secure an endpoint, ignoring corporate security policy, or missing a scheduled/required patch management or upgrade cycle.

But whether the insider is malicious or negligent is somewhat of a moot point since, at the end of the day, the firm must still assess and manage the level of associated risk, or accept the consequences of failing to do so. Risk, you’ll remember, is associated both with likelihood and consequence and as noted in this report, the level of implicitly accepted risk is in general too high, with 51% of surveyed legal firms indicating that they are not confident in their threat detection and response capabilities.

So where to from here?

Law firms handle highly sensitive and privileged information, making the protection of client data a top priority. To combat insider threats, law firms must adopt a multifaceted approach that addresses both technical controls and human factors.

When considering human factors, background checks for new hires and third-party vendors, and periodic re-checks (especially for privileged employees) are crucial to mitigate the risk of malicious insiders. In addition, investing in comprehensive employee training programs to raise awareness about cybersecurity best practices and the consequences of data mishandling is essential when it comes to reducing the risk of an accidental insider-led breach.

Fostering a culture of cybersecurity awareness and accountability, along with providing clear channels for reporting suspicious activities, can help identify potential insider threats early on.

When considering technological controls, firms will need to use a risk-based approach when navigating the maze of technology sales. For example, implementing appropriate access controls and encryption measures is crucial to safeguard confidential information from unauthorised access, but cryptographic key management procedures and mechanisms are often overlooked. Data loss prevention (DLP) solutions can help prevent the accidental or intentional exfiltration of sensitive data by insiders, but only if robust and complete logging and monitoring solutions alert administrators to anomalous user activities that may indicate an actual breach. And finally, Managed/Endpoint Detection and Response (M/EDR) can help as well, but only if strong authentication mechanisms are combined with robust endpoint device and connection management.

In conclusion then, it is important that law firms identify and mitigate the risks posed by insider threats. The consequences of a single insider breach can be serious, with the potential to destroy client trust and damage a firm's reputation in the long term. Contact us today to learn more about our comprehensive cybersecurity solutions and let us help you fortify your defences, protect your clients, and secure your firm's future against the silent enemy lurking within.