Understanding the dangers of mobile working for law firms

Mobile working: Even before smartphones were introduced, lawyers and legal staff were already using mobiles to stay on top of casework.

Almost 10 years ago, 91% of lawyers surveyed by the American Bar Association said that they used smartphones in their law practice, with 49% reporting that they also used tablets for work. Now, due to the developments of smartphones and tablet technologies, law firm staff can be just as productive from outside the office environment. However, such mobile and tablet use also introduces a number of risks to law firms which have become a prime target for cybercriminals.

The dangers of mobile devices  

Mobiles are preferred targets for hackers as they are easy to compromise when left unsecured, with 60% of the world’s cyberattacks being initiated on these handheld devices. Unfortunately, the number of mobile attacks will likely increase as mobile technology becomes further intertwined with our lives. The reason being is that people have learnt to trust them. After all, our mobiles know us better than anyone else. They are also part of most, if not all, of our daily activities, never leaving our side, meaning that users interact with message content far more quickly on mobiles than on other devices. Therefore, when mobile users receive scam calls, which is every second call, or texts which include phishing links, people are more likely to trust them and interact with the links.

Furthermore, mobiles are becoming more aligned with both our personal and work lives. It could be said that the lines between these two worlds are blurring which is having an effect on the susceptibility of our devices. With mobiles being used for both work and personal activities, which has been exacerbated more so since the pandemic, individuals are more likely to install apps for personal use, such as social media apps, on devices that are also used for work purposes.

While having apps such as Facebook or Clubhouse installed on work-related mobiles may seem harmless, it in fact could put your organisation out of compliance or give bad actors an additional avenue to compromise your data. Social media apps are continuously used as an avenue for hackers to leverage phishing scams. This is because users are more likely to trust the content they see or receive on social media, and the facts prove this as almost 80% of organisations have experienced social media phishing attacks.

Apps are also prone to vulnerabilities with 12,000 popular Android apps containing undocumented backdoors. If these vulnerabilities are left unpatched then users will be exposed to malicious attackers, and even when patched these apps cannot stop users from being tricked into downloading false apps posing as official apps, which may have malware embedded in them.

Moreover, mobiles are unlikely to have the same protection that traditional work devices, such as desktops, have installed on them. Once an endpoint device of the company network it is no longer protected or compliant… Shockingly, 40% of Android’s worldwide no longer receive security updates, while most company computers have security software installed on them with automatic updates switched on, making mobiles an easy target for cybercriminals.

Why law firms are most at risk 

It is well documented that law firms handle copious amounts of sensitive information, including corporate intellectual property, financial information, as well as client’s personal data such as personally identifiable information (PII) and personal health information (PHI).

We’ve witnessed the high-profile cyberattacks against international law firm Grubman Shire Meiselas & Sacks at the end of 2020. The ransomware attack likely impacted the company greatly, both financially and reputationally. Given the hostile digital landscape law firms operate in, they are an attractive target for cybercriminals who wish to exploit and extract sensitive data for their monetary gain.

As a result, this makes law firm’s mobile devices an especially lucrative target for malicious actors as all of this information is accessible by the firm’s staff via their smartphones and tablets. These devices also have cloud productivity suites like Office 365 and Google Workspace installed on them which allow legal staff to access and collaborate on sensitive data while on the go. This could put case documentation at risk and cause a violation of lawyer-client privilege if any of those documents are leaked through a malicious attack on the mobile. Therefore, as mobiles are especially susceptible to cyberattacks and lawyers mobiles contain incredibly sensitive and confidential data, extra steps must be taken in order to protect these devices and limit the risk of data theft from employees mobiles.

How law firms can protect their devices 

One of the first things any law firm must do to combat mobile threats is to ensure their ongoing IT training incorporates best practices for securing mobile devices. Unfortunately, it is hard to identify signs of phishing on mobiles as the mobile user experience is designed for simplicity and a smaller screen. It also doesn’t help that users can be phished through a number of ways. Therefore, user education is critical to ensure staff are aware of the signs of mobile phishing. Similarly, users must understand that mobile apps that may look harmful from a personal standpoint, can add risk to a firm. Many of the permissions and data access controls in an app could violate an organisation’s governance, risk and compliance requirements.

At the end of the day, legal staff are human and will therefore likely make mistakes. Proper training will go a long way to reduce the risk, as will having the dedicated mobile security in place that is noninvasive, offers user privacy and, most importantly, prevents common cyberattacks. With most legal practitioners operating away from the office either at home or on the go, the traditional security methods implemented in office environments aren’t enough. So, it’s encouraged that everyone must rethink how they can enable mobility while keeping sensitive data secure.

Written by Hank Schless, senior manager of security solutions at Lookout.

Kindly shared by Lookout