It is up to law firms to protect both themselves and their clients with security measures that keep up with increasing risk. The firm can’t risk losing the trust of its clients. Here are some important ways that individual lawyers, and their firms, can improve the security of the information entrusted to them. Law firms need to stay sharp because corporate security is getting harder,not easier. At the same time, companies are starting to recognize that information security is a fundamental business issue—one that demands an increased focus on cyber resilience, not just security. The reason is simple: criminals and state-sponsored attackers are targeting intellectual property, customer information, and avenues for business disruption. That makes law firms an ideal target. To learn how you can locate and get a more complete picture of people and businesses across the U.S., visit http://www.lexisnexis.com/publicrecords. For more topics that are transforming the legal industry, visit http://www.thisisreallaw.com.

1. Hacker Defense: How to Make Your Law Firm
a Harder Target
A LexisNexis® White Paper

2. Highlights
Choose Strong Passwords
•
Criminals and state-sponsored attackers are targeting intellectual
property, client information and avenues for business disruption.
•
It is up to law firms, which are attractive targets for hackers, to protect
both themselves and their clients with security measures that keep up
with increasing risk.
•
IT security policy needs to intelligently define who has access to
which resources, and clearly outline and enforce the consequences
of violations.
Even though hackers can now employ powerful software to try to crack
computer passwords, many times they don’t need to; they can simply guess.
That’s because even in our high-tech world, most people still choose lousy
passwords. For years, “password” has been far and away the most popular
choice,3 with “123456” holding a close second in rankings. Even lawyers can’t
feel too superior to the average person: in 2012, for example, a large law firm
was hacked, partly due to its password policy in which login credentials were
simply “law321”,4 preceded by the user’s initials. That’s not much better.
To get an idea of how tough your password is, it’s worth testing it.5
•
Other best practices include using strong passwords that are changed
on a regular schedule.
•
To further keep the trust of clients and colleagues, legal professionals
should be particularly wary of potentially compromising email
attachments and other material received from unfamiliar or
untested sources.
Introduction
In security, you are only as strong as your weakest link. A 2012 report of an
FBI investigation1 suggested that a company’s weakest link might be its law
firm. Every law firm keeps valuable and sensitive information on each of its
clients—information that hackers would love to obtain. And that makes the
firm an attractive target.2
It is up to law firms to protect both themselves and their clients with security
measures that keep up with increasing risk. The firm can’t risk losing the trust
of its clients. Here are some important ways that individual lawyers, and their
firms, can improve the security of the information entrusted to them.
Hacker Defense: How to Make Your Law Firm a Harder Target
Change Passwords on a Schedule
It is also much harder for hackers to hit a moving target. Even if your IT
department doesn’t require it, you should change your password regularly. Set
yourself a reminder every 90 days or so and stick to a schedule. It may seem
like a lot of work for a seemingly invisible reward, but the stakes involved make
it too important to skip. Choose strong passwords and change them regularly
for the same reason you go to the dentist or get the oil changed in your car: the
hassle is well worth it to help prevent the potential long-term downside.
Be a Healthy Skeptic
Thanks to popular movies, many people imagine that hacking goes on
invisibly, with guys in basements directly accessing top-secret databases,
typing in lines and lines of code. In reality, hacking computers is very hard. It is
much easier to hack people. Often, a hacker exploit looks more like this: you
receive an email from what seems to be a new colleague at your client’s
office. Attached in the email is a link to a document. You click on the link, and
perhaps you read the document. Later, you find out your client files have
been compromised and your firm’s name is in the news. That’s how hackers
have operated internationally in recent years and duped employees of
several law firms6 to compromise their own security.

3. As a legal professional, and as someone who has the access to information
that a hacker would love to have, it’s up to you to be an extreme skeptic. Discs,
drives, emails and even documents from established as well as unknown
sources should all have to prove themselves before you do anything with
them. Technology changes so fast, it’s almost impossible to tell how a hacker’s
exploit might arrive. As a result, it’s up to you to look at what you can find out:
what’s the source, have you seen it before and is it vetted in some way? If you
aren’t sure, report it to your IT department ASAP. That goes for unexpected
phone calls too.
Stay on a “Need to Know” Basis
The IT department that won’t give you access to something may actually be
doing you a favor. First of all, the fewer people have access to an asset, the
safer that asset is. High-risk assets, and the people with access to them, need
to be watched more closely. That can mean more oversight and procedure,
which might slow you down.
Law Firms Need to Keep the Trust of their Clients
Law firms need to stay sharp because corporate security is getting harder,
not easier. At the same time, companies are starting to recognize7 that
information security is a fundamental business issue—one that demands an
increased focus on cyber resilience, not just security. The reason is simple:
criminals and state-sponsored attackers are targeting intellectual property,
customer information, and avenues for business disruption. That makes law
firms an ideal target. With increased threats, clients will be more careful about
choosing partners that they can trust. The solution can’t rely only on user
behavior. People will continue to choose their pets’ names as passwords, and
none of those names will be something really secure like “C”^S=K~=y-”5(ss”.
In response, law firm partners and their IT departments need to leverage
technologies and create policies that protect themselves and their clients.
Security policy needs to intelligently define who has access to which
resources, and clearly outline and enforce the consequences of violating
that policy. It also needs to protect from both the inside and the outside,
with strong network security, usage monitoring, intrusion detection and
sophisticated reporting.
Hacker Defense: How to Make Your Law Firm a Harder Target

4. The Solution for Legal Professionals
LexisNexis® Public Records, with its unparalleled search, analytics and
reporting technologies, can uncover hidden connections—even when entities
don’t have a record in common—and raise red flags to help you improve your
due diligence efforts.
To learn how you can locate and get a more complete picture of people
and businesses across the U.S., visit www.lexisnexis.com/publicrecords.
For more topics that are transforming the legal industry,
visit www.thisisreallaw.com.
This document is for educational purposes only and does not guarantee the functionality or features of LexisNexis® products identified. LexisNexis does not
warrant this document is complete or error-free. If written by a third party, the opinions may not represent the opinions of LexisNexis.
1
Lynne Ahearn, “FBI’s look at electronic espionage uncovers
law firms lack of data security,” WGA InsureBlog, March 22,
2012, http://blog.wgains.com/2012/03/22/fbis-look-at-electronicespionage-uncovers-law-firms-lack-of-data-security/.
3
Erica Ho, “The 25 Most Popular (and Worst) Passwords
of 2011,” Time, November 22, 2011, http://techland.time.
com/2011/11/22/the-25-most-popular-and-worst-passwords-of2011/#ixzz2n0xWNIyl.
2
Jennifer Smith, “Lawyers Get Vigilant on Cybersecurity,” The
Wall Street Journal, June 26, 2012, http://online.wsj.com/news/
articles/SB10001424052702304458604577486761101726748.
4
Elinor Mills, “Hackers vow ‘hellfire’ in latest major data leak,”
C|Net, August 28, 2012, http://news.cnet.com/8301-1009_357501931-83/hackers-vow-hellfire-in-latest-major-data-leak/.
5
Microsoft, Safety & Security Center, https://www.microsoft.com/
security/pc-security/password-checker.aspx.
6
Mike Mintz, “Cyberattacks on Law Firms – a Growing Threat,”
Martindale.com Blog, March 19, 2012, http://blog.martindale.
com/cyberattacks-on-law-firms-a-growing-threat.
7
Deloitte, “Technology, Media & Telecommunications Firms
Boost Cyber Resiliency via Strategic Security Initiatives,
Alliances and Training,” January 18, 2013, http://www.deloitte.
com/view/en_US/us/press/Press-Releases/259bed453824c310
VgnVCM2000003356f70aRCRD.htm.
LexisNexis, martindale.com and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license. Other products or services may be trademarks or registered trademarks of their respective companies. © 2014
LexisNexis. All rights reserved. BMH00414-0