Blog

What Law Firms Should Learn From the SolarWinds Hack

What Law Firms Should Learn From the SolarWinds Hack

A single intern collapsed US cybersecurity. That’s one lesson from the SolarWinds hack. The greater lesson is that the vulnerability was known a year earlier, and nobody took any action.

The news started dripping out in December 2020.

The Pentagon had been hacked. Homeland Security was hacked. The list is extensive:

  • Department of Energy
  • National Nuclear Security Administration
  • U.S. Department of the Treasury
  • Microsoft
  • Cisco
  • Intel
  • Deloitte
  • And the list goes on…

The hackers had been in these systems for months and nobody knew it.

This was one of the largest breaches in history. But it didn’t happen through sophisticated algorithms using high-powered computers to crack passwords. No, it was a single act of carelessness by one person.

An intern at SolarWinds set a password to solarwinds123 – and that’s how the hackers got in.

Why Small Law Firms Should Care

“I’m just a small law firm. I’m nobody’s target.” But that’s not true.

The overwhelming majority of cyberattacks hit small and medium size businesses (SMBs). First, because SMBs are easier targets due to less sophisticated security. Second, because there are more SMBs than Fortune 1000 companies. There are exactly 1000 companies in the Fortune 1000. After exhausting this list, hackers must look for volume. And the data shows it.

Small dry cleaners have been the victim of ransomware attacks. A mobile snow cone stand faced thousands of dollars in liability from a data breach. One fact is inescapable.

Attorneys handle privileged information. And that creates an opportunity for malicious actors to extract value from law firms.

But the sensitive information itself isn’t the only reason law firms are common targets for cyberattacks. The legal industry has other specific vulnerabilities:

  • Many law firms have old or outdated systems that haven’t kept up with newer security measures.
  • Law firms are especially vulnerable to phishing and email attacks because a vast majority of their information (sensitive or not) is sent through email. Hackers also use phishing and email attacks to gain access to other information a firm might be storing, which could leave hundreds of files unprotected.
  • Many law firms use cloud-based storage systems, which can create an easy “in” for hackers if the firm doesn’t fully understand the setup and privacy settings.
  • Law firms rarely put the time, effort and money into a proper IT department/person. This results in many law firm cybersecurity decisions being made by someone who is not an expert in the field.

Don’t neglect the second lesson from the SolarWinds attack.

The First Lesson From SolarWinds Is It Only Takes One Person

Who would have guessed in 2017 that one of SolarWinds’ current interns would lay the groundwork for such a devastating attack? The impact was devastating.

Company officials were drug before congressional hearings. It offered little comfort as they testified that the “solarwinds123” password violated their password policy.

The publicity of the attack created customer issues. Now they had to explain to 18,000 current customers what happened and what they were doing about it.

Possibly the greatest sting for any public company hit instantly.

The stock price dropped like a rock from over $23 a share to just over $14 a share. Billions of dollars of market capitalization vaporized as the news hit the wires. And even six months after the revelation of the attack, the stock is still hovering around $17 dollars a share.

Who would have guessed that an intern had that kind of power … the same power any of your employees or contractors have over your business?

The Second Lesson Is the Vulnerability Was Known and Ignored

The “solarwinds123” password was discovered publicly on the internet in 2019 by an independent security researcher. And he warned SolarWinds of the vulnerability1.

Yes, it could have been prevented. But even after the warning, SolarWinds took no action.

You’ve already been warned. Small and medium sized businesses are the overwhelming victims of cyberattacks. You have privileged and sensitive information that others want to exploit. And you have employees and contractors that will click on malicious links and use ineffective passwords that violate your password policy. Your risk is real.

Will you ignore the issue – like SolarWinds – until it blows up? Or will you heed the warning?

Here are a few resources to help you make your choice:

We also recommend you get our free Ransomware Response Kit and get dedicated Cyber Liability Insurance.

1Former SolarWinds CEO blames intern for "solarwinds123" password leak | CNN Politics