Safeguarding Client Data: Cybersecurity Basics

Cyberthreats

Phishing uses fraudulent (spoofed) emails for criminal purposes, like installing malware, stealing money and obtaining information such as login credentials, bank account information, personal information and confidential business information.

The number of phishing attacks has increased during the COVID-19 pandemic and remains high. The Anti-Phishing Working Group has reported that after doubling in 2020, the amount of phishing remained at a steady but high level during 2021. The Cybersecurity & Infrastructure Security Agency (CISA) has reported that over 90 percent of successful cyberattacks start with a phishing email.

Ransomware is a type of malware that encrypts a victim’s data. Attackers then demand payment, usually in cryptocurrency, for the victim to get the decryption key and restore access to the data. Ransomware attackers also frequently exfiltrate (steal) a victim’s information and demand payment for not disclosing or selling the information.

Ransomware is a growing and evolving threat. For example, the U.S. Treasury reported that the total value of ransomware-related suspicious activity reported during the first six months of 2021 was $590 million, which exceeds the value reported for the entirety of 2020 ($416 million). It also noted $5.2 billion in payments to virtual currency wallets potentially tied to ransomware payments. BEC is a growing cybercrime epidemic, with staggering losses to businesses and organizations of all sizes. BEC is a scheme in which an attacker uses fraudulent email to impersonate an executive, attorney, business contact or other person to get a transfer of funds, money or sensitive information.

BEC takes multiple forms. It sometimes involves spearphishing (a targeted phishing email) that appears to be from a business executive, business contact or party to a transaction. It can also involve a fraudulent email from a legitimate email account to which a criminal has obtained access by social engineering or a computer intrusion, called email account compromise (EAC). The FBI’s Internet Crime Complaint Center (IC3) reported that the adjusted losses for BEC incidents reported in 2020 were almost $1.9 billion, the highest losses for any crime.

A common form of BEC is fraudulent wire transfer instructions, like a fraudulent email, appearing to be from a CEO or other senior official (COO, CFO, etc.), with instructions to immediately pay “a vendor,” or appearing to be from a vendor, with new wire transfer instructions to a criminal’s account. A variation is an email that appears to be from the attorney or real estate agent for a seller, with fraudulent payment instructions for the proceeds of a real estate sale, or to a buyer to “hijack” the wire transfer of the payment of the purchase price.

Given the frequency and high risk, awareness of phishing, ransomware and BEC is an important part of cybersecurity programs for attorneys and law firms.

Cybersecurity programs

The American Bar Association has recommended that all organizations, including law firms, should have comprehensive cybersecurity programs. A cybersecurity program should cover the core security functions: identify, protect, detect, respond and recover, including an incident response plan. Information on comprehensive cybersecurity programs is available from the Law Practice Division including this magazine, Law Practice Today, the Legal Technology Resource Center and ABA TECHSHOW; the ABA Cybersecurity Legal Task Force including Cybersecurity Resources for Small Law Firms and the Vendor Cyber Contracting Cybersecurity Checklist; CISA including Resources for Small and Midsize Businesses; and the National Institute of Science and Technology (NIST) including the Small Business Cybersecurity Corner.

An effective cybersecurity program requires regular review and updating as technology, threats and available safeguards change.

10 basic safeguards

The following 10 basic safeguards are an important part of an effective cybersecurity program.

1. Manage and minimize data. Cybersecurity should be part of information governance. It is necessary to know what technology and data needs to be protected. Data that is securely deleted when it is no longer required or needed is no longer exposed.
2. Segment and limit access to sensitive data. Sensitive data should be stored in a separate location or locations, with separate access controls. Access should be limited to users who need access.
3. Control use of administrative privileges. Windows and Mac computers have two kinds of user accounts: administrator and standard user accounts. Administrator access is needed for some functions like installing or removing software and devices. Some malware can run only in an administrator account. A standard user account should be used unless administrator access is temporarily needed.
4. Use strong authentication. The current recommendation for strong passwords or passphrases is a minimum of 12 or 14 characters, including capital and small letters, numbers, and symbols. Passphrases (like “Ilovmy2017BMW!”) are secure and easier to remember than random passwords. Password managers (like 1Password, LastPass and Dashlane) can be very helpful to balance security and ease of use. Use multifactor authentication, particularly for administrator accounts and remote access. Zero trust architecture is an emerging approach for authentication and access control. Watch for developments as it becomes more common and available.
5. Promptly patch the operating system, firmware, all applications and plug-ins. Malware often takes advantage of vulnerabilities in operating systems, applications and plug-ins. Updates and patches are developed to protect against such vulnerabilities after they are known. Patches should be promptly applied to the operating system, all applications and firmware to protect against vulnerabilities. Computers are often compromised by malware for which patches are available but have not been applied.
6. Use secure, common configurations for servers, desktops, laptops and mobile devices. This includes settings like automatic logoff or shutdown after “x” minutes of inactivity and locking or wiping after “x” failed login attempts. Follow security configuration recommendations from Microsoft, Apple and device manufactures. For more comprehensive recommendations, see the Center for Internet Security’s CIS Benchmarks.
7. Use strong security appliances and software and keep them up to date. Home and law firm networks should be protected by hardware firewalls, securely configured. Windows and Mac computers should be protected with current versions of security software, with all updates. It is generally best to use auto update. Consider using application whitelisting (that allows only approved applications and processes to run), data loss prevention, and endpoint detection and response.
8. Back up important files and data. Files should be backed up at least daily. Maintain multiple backups, including an offline and offsite backup. Make sure that backups are secure. Test restoration from backups.
9. Use a spam filter and website filtering. They can block some phishing emails and warn about some malicious and compromised websites.
10. Conduct vulnerability assessment and remediation. This is usually done by a tech professional to find and address external and internal security issues like missing patches, incorrect configurations and open ports.

These basic security steps are an important part of an effective cybersecurity program, but just a part. A comprehensive program includes much more, such as training; encryption; securing wired and wireless networks, cloud services, remote connections and portable and remote devices; and management of third-party risks. Most attorneys will need qualified assistance to implement and maintain effective cybersecurity. Particularly important is maintaining constant cybersecurity awareness by every user, every day, every time they are using technology.

Attorneys and law firms today are facing continuing and growing cyberthreats. Constant awareness of these threats and addressing basic safeguards are important parts of protection against them.

Note: The views and opinions expressed in this article represent the view of the author and do not necessarily represent the official view of Clark Hill PLC. Nothing in this article constitutes professional legal advice nor is intended to be a substitute for professional legal advice.