When it comes to protecting your law practice from hackers, there is no foolproof method, according to legal experts offering guidance on training for law office employees.
“Nothing is ever going to make you 100 percent secure,” said John Simek of Sensei Enterprises, Inc., adding that hackers with the right tools and sufficient funding will find a way in. So instead of focusing on prevention, you must identify and respond to each incident.
Simek and Sherri Davidoff, CEO of LMG Security, presented “Effective Cybersecurity Training for Your Law Office Employees,” offering tips and guidance on how to protect clients from cybersecurity thefts. The webinar was sponsored by the Law Practice Division and Section of Science & Technology Law.
Often we focus training programs on defense – “don’t click on links, don’t click on links, don’t click on links,” Davidoff said. “We forget to train our employees, here’s how you detect a problem and here’s what you should do if you detect a problem.”
Many firms make the mistake of believing they aren’t a target because “they’re looking for the big guys … the big companies … they’re not going after law firms,” Simek said. “That’s not necessarily true.”
The breach of Panamanian law firm Mossack Fonseca in April 2016, which resulted in the release of the Panama Papers on WikiLeaks, is considered the largest and single most damaging law firm breach to date. Revelations from the breach included that Russian President Vladimir Putin had $2 billion invested through the firm. But employees of all law firms – big or small – must remain vigilant, and take steps once a breach has been detected.
Simek outlined a 2012 breach at a two-person firm in Virginia, where emails were stolen and released on the internet. The breach was discovered when a partner logged on to his computer and saw the message: “You’ve been pwned” – a clear sign that they had been hacked. In that case, the firm’s website provider had not properly secured access to the emails. The firm notified its clients and contacted authorities but, unfortunately, did not have proper security mechanisms in place to prevent it.
The use of multi-factor authentication is the first line of defense to protect emails, Davidoff said, and likely would have prevented the Virginia hack.
Many law firms hit with ransomware or malware (a form of malicious software that allows hackers to steal valuable information and demand payment to return it) don’t report it to law enforcement for fear of damaging their reputation and losing business. Ransomware can be bundled with spyware, which is an information-stealing virus that will take all PDFs, Excel spreadsheets, PowerPoints and text files and automatically send them to the attacker, who will sort through it and resell it later. “It’s not that they’re targeting you or a specific kind of information, it’s like a smash and grab,” Davidoff said, adding that many law firms never report breaches to the authorities. “For every breach you see in the media, there are probably 99 others that are not in the media,” she said.
One common misconception is that hackers are focused on big firms, not targeting small law firms, but the reality is all firms have client data that needs to be protected. Often it can be hard to tell if you’ve been hacked and what exactly the hackers did with the information they stole. Davidoff recommends contracting with a security monitoring specialist to detect encrypted markers left behind by hackers. Hackers sell stolen information on the dark web, called TOR (The Onion Router). Though banks and hospitals are obvious targets for this kind of activity, law firms – and their clients – are also vulnerable.
“The rule of thumb is that if the information is worth money to you, it’s worth money to someone else,” Davidoff said. Often employees click on a link, unknowingly launching malware that allows the thieves to instantly gain access to their computer. Some breaches result from a “man in the browser” attack – where your web browser is possessed by a criminal and they control it, gaining all the victim’s personal information.
A 2016 Verizon data breach report reveals:
- Of more than 100,000 incidents in 2016, 3,141 were confirmed data breaches
- 89 percent of breaches had a financial or espionage motive
- 63 percent of breaches involved weak, default or stolen passwords
- 93 percent of breaches occurred within minutes, and 11 percent within seconds
- 30 percent of breaches are due to human error, such as opening phishing emails
- Fewer than 25 percent were discovered in a few days
Human error can be difficult to “fix,” but there are some guidelines that should be shared with staff. Hackers can send threatening emails that are designed to scare the recipient into responding.
“If you look at an email and it stresses you out and there’s some urgency, stop and think because hackers are trying to make you click before you think,” Davidoff said. “Think before you click.”
If you get a message that you’ve never seen before, that’s a red flag. “If you’re not expecting an email, then you should really be looking at it critically,” she added.
Hackers often belong to organized crime groups that run like a business in a competitive market. To combat hackers, develop a training program for your employees that includes:
- Clearly written policies
- An easy-to-remember cybersecurity contact
- Annual training
- Regular reminders and tips (at least quarterly), supplemented with technical solutions (spam filtering, monitoring, etc.)
Everyone in your office should be trained, including lawyers, support staff, first-responders (IT personnel) and clients. Client portals for law firms are popular, but portal users must be trained, sometimes on a one-on-one basis.
When developing a training program, include these common-sense guidelines and share them with everyone in your organization:
- Think before you click. Hover your mouse over links in emails and check them carefully before you click.
- Beware of fraudulent websites. Double-check the address, and look for “HTTPS” and the lock icon.
- Don’t respond to scammers.
- Pick strong passwords – passwords should be long (at least 14 characters). Never re-use personal passwords for work, or vice versa.
- Never tell anyone your passwords – not friends, coworkers, vendors or even IT staff.
- Use antivirus software and keep it up to date so your computer will be protected from known viruses. New software updates include new security “fixes” that can save you time and hassles.
- Only use trusted software – attackers want to get their software installed on your computer. Often, they disguise it as a handy utility or fun game. Don’t install your own software unless you have formal approval.
- Secure your mobile device. Treat your phone, laptop or tablet like your desktop computer. Use a passcode and install antivirus software when available. Encrypt sensitive data, such as confidential emails, files, USB thumb drives and other valuable information.
- Hang on to your data. Don’t upload data to the cloud, copy it to USBs or email it to personal accounts without explicit permission. Keep your work and personal accounts separate.
- Remember: Computer use at work is not private. To protect your computer and the whole network, your organization may monitor your web surfing, email use, computer activity and more.
- Stay informed. Know your organization’s policies for detecting and reporting phishing attacks and other suspicious behavior.
- Alert the right people in your organization when you are suspicious of an email or web page. If you clicked a link that you should not have clicked, tell the appropriate people so they can help.