What technology or other safeguards do you or your organization use to protect against data theft and ransomware?
DB: Antivirus and malware protection software, remote backups, restrictions on who has access to passwords, complex passwords stored in a hopefully reliable password manager, password protected files for sensitive information, data storage in law practice management software with companies with far bigger budgets and security sophistication than a small firm can manage.
JC: Spam filters help but are imperfect. Our IT Director asks us to forward her screen shots of suspected scams or malware. She then checks to see if anyone else has received it and sometimes will do a firm wide email if it is something new.
JH: We use a third party to do email filtering of spam and phishing attacks, and a separate third party for endpoint protection. For perimeter protection, we use a firewall appliance. In addition to this, we use a service to gather daily monitoring of user login anomalies as well as quarterly comparative network and security assessments for internal and external vulnerabilities.
DS: Use VPN when appropriate. Carry cyber insurance.
JS: One of the “must have” technologies is to have some sort of endpoint detection and response (EDR) solution, also marketed as managed detection and response (MDR) or extended detection and response (XDR). EDR solutions monitor the activity of a device and take action when there is suspicious and outside of the norm activity. There are several EDR/MDR/XDR solutions that are very affordable even for the solo and small firm lawyer.
We have been using SentinelOne for many years as have our clients. It includes features such as blocking activity consistent with ransomware attacks, automatically removing the device from the network to prevent lateral spread, and even rolling back the device to a known good state prior to data being encrypted. SentinelOne also includes support from a SOC (Security Operations Center).
In addition, you should also consider having a SIEM (Security Information and Event Management) solution to help analyze, detect, and take action for security threats in your environment. A SIEM processes the massive amounts of data from system and security event logs in an automated and intelligent manner.
Don’t forget about the simple things either. You should be implementing multi-factor authentication (MFA) everywhere you can as well as applying any software or firmware updates as soon as possible. There really is no excuse for failing to apply patches or using MFA since both are free.
RT: We use Barracuda and KnowBe4 as our primary user facing tools.
Do you do training for employees to protect against such risks? If so, how often?
DB: Yes, I have in the past, and I extend reminders if I see unwise behavior, work with someone new, or learn of new risks. Nevertheless, I think people can be our biggest risk. I urge clients to use the client portal for sensitive information, but still receive emails from them with information that I would not send by email. By the way, could it be argued that a lawyer’s ethical duty to supervise employees and associates reporting to them can trigger an obligation to conduct such training? Or at least the obligation to preserve a client’s confidential information.
JC: The standard used to be annual training. Now that seems too long. Formal training two or more times each year seems best. Interim reminder emails to the firm when new scams are attempted against the firm or a new scam is exposed helps keep these threats top of mind.
JH: Employees go through virtual training on the various cybersecurity risks they may be presented with, and how to identify them. Testing occurs by producing random phishing and other emails. If the employee “takes the bait” they are required to engage in further cybersecurity training. The training occurs on an as needed basis as determined by our IT Department.
JS: The short answer is yes. Security awareness training should be given at least once a year. Twice a year is even better given how fast the security landscape is changing. Check your cyber-insurance policy as most will require at least annual training.
RT: We have annual training but those who click on KnowBe4 tempting emails have some additional training too.
What concerns do you have about how artificial intelligence may provide more tools for fraudsters?
DB: As mentioned above, I worry that it will get easier to impersonate “trusted” people using their voice, image, writing style, etc. There have already been incidents where someone spoofing a boss’s email directs an employee to provide information or execute some other action desired by a fraudster. How much easier will it be if the fraudster can call the employee and give instructions in the boss’s voice?
JC: We will soon see ultra-personalized scams and malware communications, as AI harvests much of the data available about a target online to assemble a custom attack. Imagine a college student who attended a party receiving a text the next day that says “Hey it was nice to meet you at Bob’s BBQ party. I took a great pic of you, Cindy and Barbara [friends who attended the party]. Here’s a link if you’d like to have the picture.” The personalized content could likely cause recipients to lower their guard.
LJ: I am presuming that fraudsters have already integrated AI into their systems for devising the most tempting phishing content.
AJ: Artificial intelligence, to me, is the greatest upcoming threat. We have already heard about people being scammed by telephone calls that they thought were family members in trouble because artificial intelligence was able to re-create their family member’s voice on the telephone. With all of the video content being created now and all of the photos that are posted online, the technology is already out there that can make it seem as if you are having a conversation with someone on video, but it is all artificial intelligence. Rest assured that the scammers will be taking full advantage of it.
DS: Too may to list. AI can and will provide more tools for fraudsters.
JS: As previously mentioned, AI is used for prevention of attacks as well as helping to facilitate successful ones. It’s a back-and-forth battle that has no end in sight. The attacks are getting more and more sophisticated with the use of AI. For now, the best advice is to be suspicious - always.
RT: The emails are more personal and contain more personal information gleaned from the internet to make you curious and click on them. We have to be even more vigilant.
What event, educational item, or news headline helped flip the light on for your firm or organization to take phishing emails and scams more seriously?
DB:
- The heartbreaking news stories of small law firms being swindled out of hundreds of thousands of dollars, such as this one described in the ABA Journal in 2022: https://www.abajournal.com/news/article/wells-fargo-didnt-have-contractual-duty-to-catch-scam-check-that-cost-law-firm-nearly-200k-judge-rules .
- The highly publicized email hacks of political figures.
- The story from a friend about receiving an email from the boss to send money to an account. The friend almost did it, but fortunately contacted the boss to ask a question about it first.
- The frequency with which I receive fairly obvious scam emails seeking to hire my legal services when a simple review of my website would reveal how off base the request is.
- My own personal experiences are described above.
JC: Seeing good and competent lawyers lose hundreds of thousands of dollars to scammers.
LJ: I got a phone call from a guy who represented that he was a cop and had a warrant that I had missed jury duty. If I only I got him some gift cards …. I called the local police dept and tried to set up a meet with him at the courthouse (where my bar group was having its meetings). The fake cop was a no-show, but phone scams became real for the first time.
AJ: I can’t say that there has been one single event or headline that changed things for me. But the sheer number of spam telephone calls and emails, along with the rapid pace of artificial intelligence, for me, has combined to make me even more cautious than I was before. We can only hope that some smart “good guys” come up with ways to combat these scams or make them more difficult to execute.
DS: For me, it is mainly bar activities where, for instance, I will be serving on the newly formed ABA taskforce on AI
JS: As a cybersecurity company, we’ve always taken phishing email and scam seriously. As for our clients, the “light bulb moment” is normally when they have a security incident or someone they know does. There is something compelling about being up close and personal.
RT: One was learning just how many law firms large and small were getting scammed, the other was obtaining a cyber liability insurance policy that comes with certain minimum tech and training requirements. Both were good reasons to up our game.