Natural disasters are steadily increasing. In 2020 we ran out of hurricane names and had to resort to the backup names from the Greek alphabet. We came close to using up all the names in 2021, too, but barely squeaked by with one remaining. December 2021 saw a wind disaster come through the central United States and devastate hundreds of miles of structures. According to meteorologists, at least 19 tornadoes in five states were unleased. We have experienced major flooding from hurricanes over the last couple of decades, severely impacting attorneys in their ability to practice law.
In natural disasters such as tornadoes, ice storms, hurricanes, and blizzards, attorneys must protect the confidential information entrusted to them by their clients. Physical access to law offices and client data is hindered during a disaster.
How will you prevent someone from potentially gaining unauthorized access to client data during the disaster? Your security system may be disabled due to lack of electricity. You won’t be able to control physical access if your office space is damaged. You may not be able to get to the client data (paper files, computers, servers, etc.) if your office is flooded—remember Katrina?
The Cloud Becomes a Lifeline
As more and more law firms utilize cloud services (and law firms stampeded to the cloud in 2020), continuing operations during and after a disaster is becoming much easier. However, taking advantage of cloud services means that a connection to the Internet is of prime importance. If your Internet connection goes down, you’ll need an alternative method to get to your client data. Don’t forget that you may be able to use your smartphone hot spot to access the Internet and continue operations during a disaster.
Another advantage of using the cloud is security. Generally, cloud providers are much more secure than systems contained in a law firm’s network. That is true for most solo and small firm attorneys.
The Pandemic Revolutionizes Cybersecurity
We’ve mentioned some of the more common natural disasters, but the pandemic rocked us to the core. COVID-19 forced law firms and businesses to close up shop (most in a single day) and send employees home for an extended period.
The sudden closure of law firms allowed for only scant planning. We shut down our own office in less than an hour, although we were fortunately well situated for a work-from-home (WFH) environment.
A lot of law firms were not as fortunate. Those that didn’t have laptops as a primary work device for their employees were forced to use home computers for work purposes as laptop demand skyrocketed and orders took months for delivery. The pandemic also significantly slowed laptop production, which didn’t help. Even though the pandemic forced WFH on many law firms, other natural disasters could also force law firm employees into a remote work environment.
Work from Home Is Less Secure
Home networks are 3.5 times more vulnerable to attack than law firm networks for a variety of reasons. Consumer-grade equipment is used in home networks and is not generally kept up-to-date. That includes computers as well as networking equipment such as wireless routers. Studies show that less than 30 percent of users have changed the default administration password on their home routers. The cybercriminals read these studies, too! This is one reason the attacks on home networks increased significantly at the beginning of the pandemic. Cybercriminals knew that lawyers were now working from home utilizing insecure devices. A ripe target, indeed.
Another consideration in a WFH world is the security of the device used to connect to the law firm network or cloud service. Devices located within a law firm network are typically centrally managed and kept up-to-date with the latest security patches and application updates. There are many more challenges when someone is remote, especially if working on a device not owned by the firm.
To help improve the situation, some firms elected to make the home machines part of the law firm’s centrally managed environment. This means that the firm would remotely patch the home computers and make sure all security configurations and updates were installed.
Obviously, there are some challenges when folding a home machine into the managed environment. Privacy considerations become top of mind—not just the privacy (and security) of client information, but the personal privacy of the home user. There needs to be a crystal-clear understanding of what the law firm is allowed to do to the home user’s computer and what information may be accessed. The obvious conclusion is that it is a much better alternative to put a law-firm-owned device on the home network rather than taking control of a home machine.
Training Is Critical
Training is essential to adequately respond to a disaster. No matter what the disaster (e.g., tornado, hurricane, pandemic, etc.), employees are stressed out dealing with the situation. They may be concerned for the life and safety of family, friends, and colleagues. Their defenses are down—they may be moving way too fast and not thinking clearly.
Then they must deal with cybercriminals seeking to exploit a disaster. Training needs to be done for employees to properly recognize a phishing attack, especially because more than 90 percent of successful cyberattacks start with a phishing email. Unfortunately, cybercriminals have become very sophisticated and are constantly changing their methods and tactics to gain access to valuable information. That information may be the user’s log-on credentials, firm financial information, or client information that ultimately results in financial gain.
Phishing attacks have drastically increased since the beginning of the pandemic. Besides trying to get users to click on an attachment or open a malicious link, cybercriminals want to let users feel safe when receiving a phishing email. There may not be any link or attachment—the attacker might simply appear to be starting a conversation (e.g., “Are you available to talk?”). After a few “innocent” email exchanges, the attacker then “pulls the trigger” and gets to the real purpose of the email exchange. These attacks are primarily financially driven. The Federal Bureau of Investigation categorizes such an event as BEC (business email compromise).
BEC accounts for the majority of Internet fraud according to the Internet Crime Complaint Center’s 2020 Internet Crime Report. The report identified total losses exceeding $4.2 billion, with BEC being responsible for more than $1.8 billion. In comparison, ransomware was responsible for only $29.1 million of losses. Some of the Q2 2021 stats show that the average request was for $106,000, up from $75,000 in Q4 2020 (APWG Phishing Activity Trends Report, 2nd Quarter 2021, Sept. 22, 2021).
Twenty-four percent of the BEC attacks tried to divert employee payroll deposits, while 47 percent requested funds in gift cards. Gift cards are popular because you only need the codes and not the physical card. Once the card is cashed in, the funds are converted to virtual currency such as Bitcoin. You will probably never see the money again once the gift card is redeemed. A request for gift cards is usually a “red flag.” Instruct employees to be very wary of any request for gift cards.