Special Guest: Joseph Marquette
Download this Episode:
For lawyers and law firms, there’s no one standard for the adoption of technology. There are about one million. Unfortunately, this idiosyncratic approach has consequences in the realm of cyber security.
Cyber Security in the Law Firm
The means and art of practicing law has not historically been reliant on technology. As a result, many law firms have not made technology adoption a central element of their practice. Generally speaking, the rate and type of technology adoption in any one law firm is generally based on how that law firm’s decision makers see how effectively new technology can help their practice. Other firms, whether it’s about personalities or business practices, some just aren’t going to jump on the technology bandwagon.
As far as cyber security goes, most law firms track this same idiosyncratic approach. Depending on whether the attorneys in the law firm have a fundamental understanding of the threats, any individual law firm may be significantly ahead of or behind the curve in responding to cyber threats.
What are the biggest Cyber Security threats that law firms face?
The best way to understand how law firms should address cyber security is to look at the potential threats. Unfortunately, there is an attitude problem: most lawyers want to talk about their obligations to protect against cyber security in light of their ethical obligations to protect confidential information.
That is to say, lawyers tend to view cyber security ONLY as a tool to prevent data theft, ignoring the other motives behind cyber attacks.
Unfortunately, the threats lawyers fear simply don’t match up with the way the world works. The priority for almost all hacks is financially related. There are three primary purposes behind cyber attacks:
1) Financial Motive
Most cyber attacks – and it’s apparently not even close – are about trying to get access to financial resources. Hackers will try to get your money in one of two ways – either get your credentials and drain your account directly, or use malware to extract some ransom from you.
This particular threat is largely ignored by law firms, particularly smaller firms who (for some reason) believe they don’t have anything a hacker would find worth stealing.
News Flash: Even though you don’t think you have info worth stealing, you probably have money in the bank.
2) Secondary Motive
The second most common reason for a hacker to attack your system is to use it as a platform to launch more hacks. This is known as “secondary motive.” Hackers want to use your computer as a beachhead to launch attacks on others. Why? Because the more soldiers you have, the more likely you are to win the battle.
The same is true with hacking – the more computers that can launch your attack, the more computers that send out emails to compromised contacts lists, the more likely the hacker will succeed.
3) Confidential Information/Industrial Espionage
Finally, we come to the thing that most lawyers are talking about when they think their computers don’t have valuable data. While it’s possible to get the impression that I don’t consider this type of hack to be a big deal, it’s absolutely incorrect. Especially if your law firm deals with clients who have information that really needs protection.
Attempts to steal your clients’ information from your systems ARE A THREAT. You probably have access to information that’s not public, and has value in itself. The threat from foreign government-sponsored hacking is something that’s real, it’s not just in movies – if your clients have any information that might compete with a Chinese company, be aware of the potential for hacking.
How are hackers gaining access to law firm systems?
80% of attacks are external, and the vast majority of attacks begin via phishing emails. 15-20% of phishing emails WILL be opened, and more than 10% of phishing emails are opened AND malicious links contained within are clicked – triggering malware insertion.
However, it’s not just about email. Ad-injected malware from websites you and your employees visit is a huge problem. You also can’t just assume that your employees are avoiding the “bad” websites either. Today, a “bad:” website could include the New York Times, Forbes Magazine, Yahoo, or WIRED Magazine. Even the online game Farmville was a major source of malware injection.
Remember there are two ways to be targeted – the direct attack where hackers are looking for something specific, and the toss-the-net approach. Those are hackers who are targeting EVERYBODY! You don’t have to be the exact computer that the hacker is looking for in order to be a target.
Hackers today have ransomware that is sold like Microsoft 365’s subscription service. They have help desk support and their version of a Genius Bar.
Hackers have gotten good at what works. They’re professionals. It’s their job. Their tools are state of the art. They’ve practiced and honed their skills.
However, most hackers are fundamentally lazy, looking for the weakest links. They don’t want to waste time getting into your computer if it’s easier to get into someone else’s.
Fundamental Cyber Security Steps for Law Firms
Criminals are looking for the weakest link. They’re fundamentally lazy, and they’re looking for the easiest computer to access. The most important steps you can take are the ones that prevent your system from being that easy target. Here are a few key steps:
1) Have a plan in place.
Recognize that cyber security needs to be a part of your business. Just like HR, you need IT. And make sure that your plan is understood, accepted, and enforced!
2) Know What and Where Your Important Data Is
Understand what information you have that might be valuable, and where is it saved? Knowing where your data is located is the first step in making sure it’s protected.
3) Start using the tools you already have!
Make your employees use unique, complex passwords, which MUST be required. Rotating passwords protect you from former employees accessing your network or email – it’s good hygiene, and it’s a pain, but the tools available really help.
Turn on multi-factor authentication. Make sure you have your “antis” active – anti-virus, anti-malware, anti-adware.
4) ENCRYPT YOUR DATA!
Guess what, if a hacker really wants to get into your system, they will. Make sure all they find is data protected by strong encryption. As an added benefit, encrypting your data might even protect it from crypto locker ransomware!
5) Check for Weak Spots
Vulnerability management – make sure that vulnerability scans are being run frequently to keep your digital perimeter free of known weaknesses.
6) Use Pre-Emptive Protection
SPAM Filters should be active (and offsite) to remove and segregate suspicious emails.
7) Backup! Backup! Backup!
Make sure you have offsite – and not-network-attached – backup systems.
Better Cyber Security Means Less Convenience – Deal With It!
Making law firms understand the steps that need to be taken to protect their confidential data is critical. However, there’s a considerable gap between the actions that law firms recognize need to be taken and those they’re actually putting time and effort into taking. Most law firms are nervous about cyber security, but often the failure to act is based on not knowing what steps are first.
Additionally, a lot of people don’t understand that you can’t solve the cyber attack problems simply by throwing dollars at it. Many of the simple, fundamental cyber security steps cost very little to implement, but require things like training and enhanced awareness of cyber threats.
The result is that being willing to pay for better cyber security, without a corresponding willingness to actually participate in the process, is largely unsuccessful. The most critical reason is that many of those basic, fundamental cyber security steps are also considered the most effective – they’re the ones every individual and business needs to implement.
About the Author
Brian Focht is a civil litigation attorney and technology enthusiast. In addition to being the author of The Cyber Advocate, he is also the producer and host of the Legal Technology Review podcast, and co-founder of B&R Concepts, a small business technology consulting company.