Skip to content
IMG_0561-1
Real Lawyers Have Blogs

Large law firm blogs prone to being hacked?

large law firm blogs security
By Kevin O’Keefe
March 2, 2015

Reporting on the cooperative effort of Wall St. and law firms to bolster online security, The New York Times’ Mathew Goldstein (@mattgoldstein26reports:

Law enforcement agencies have long been concerned about the vulnerability of United States law firms to online attacks because they are seen by hackers and nations bent on corporate espionage as a rich repository of company secrets, business strategies and intellectual property.

What law firm sites may be the most susceptible to hacking? Blogs. Partcularly blogs set up and maintained by law firms themselves.

WordPress and other content management systems used by law firms for blogs can be inherently insecure. From Mark Wilson at Tech Beta News:

A large proportion of websites are not standalone sites in their own right, but creations based on CMSs such as Drupal, WordPress, and Joomla. This is particularly true for personal blogs, but using a CMS as the basis for a site has been increasingly popular among larger companies. CMSs are used because they allow for articles to be posted easily, make it simple for multiple people to contribute to a site, and allow for different users to be assigned different access rights. They can also be extended through the use of plugins, but these self-same extensions are also a security disaster waiting to happen.

Large law firms are similarly attracted to WordPress because of the apparent ease of set up, ease of use by lawyers and the ability to add features via plug-ins.

It’s this extensibility and the plug-ins developed by third parties which give rise to insecurity. Who is vetting the plug-ins? Who is updating the plug-ins as needed? Can you reach the developers of the plug-ins when problems arise?

WordPress knows that it is susceptible to hacking and security concerns, things WordPress addresses quickly with new and improved versions.

Not only do the plug-ins raise security risk themselves, but they make it harder to keep your blogs on the latest version of WordPress. Plug-ins often create problems when one goes to install the latest version of WordPress. In same cases the plug-ins make updating to the latest version of WordPress impossible altogether.

Hackers are not indiscriminate in their attacks. In the case of law firms, hackers will be looking to obtain admin privileges to blogs and by doing so pick up user names and passwords of the lawyers and other law firm administrators. With this data in hand, hackers will look to use the same user names and passwords in order to access confidential data on other law firm sites and server environments.

Running WordPress blogs in a cloud environment does not have to be risky. The key is vetting plug-ins and/or developing your own plug-ins and upgrading to the latest version of WordPress as WordPress is upgraded — among other things.

Large law firms do not have the luxury that smaller law firms may have in tinkering with blog software and development. Large law firms, by who they are and who they represent, are targets. Large firms have the confidential info hackers are looking for.

As I have blogged before, running blogs on your own is an assumption of risk. Risk that you may not want to assume.

Image courtesy of Flickr by Kris Krug

Posted in:
Blogging