Malware attacks, particularly ransomware, have been on the upswing globally over the last few years. A financial winner for cyber hackers, ransomware has escalated from the aggressive activity against banks and other financial institutions to attacks on government entities, the healthcare industry, and the legal profession. When it comes to how legal professionals can protect against ransomware, you really can’t manage alone. Fortunately, we can tell you about the measures you can take to manage this aspect of your business.
Types of Attacks
According to Law.com, since 2014 over 100 law firms alerted authorities that they experienced data breaches.
In 2017, the Jenner & Block law firm in Chicago, with offices in Los Angeles, New York, Washington DC, and London, suffered a security breach that focused on tax forms provided to the firm by current and former employees. The tax forms contained sensitive personal information with respect to names, addresses, Social Security IDs and salary information. That’s the kind of personal information that is dangerous in the wrong hands.
Locked Out of Software
Sometimes it’s not anything a lawyer or employee of the law firm does wrong. TrialWorks, a popular cloud platform for legal software, experienced a shut-down in 2019 when TrialWorks identified a ransomware attack on its platform. The shut-down created turmoil when TrialWorks’ client base (lawyers) was unable to access their files and legal client data. As a result, some lawyers were unable to meet court deadlines.
Cyber hackers are fond of phishing scams and they start by creating an email address from a domain name that is similar to an actual lawyer or law firm name. The cyber hacker then sends an email from that fake email address to a lawyer at the law firm asking for data. Sometimes a recipient reads the email too quickly, not realizing that it’s not his senior partner asking for the access information but is a cybercriminal. When the lawyer complies with the information request, the cyber hacker gains access to the firm’s network.
Let’s focus on ransomware, a particularly pernicious infection. Phishing attacks are scams used to trick internet users into divulging passwords, login identifications, and credit card numbers or other sensitive information. In addition, Phishing attacks are often the delivery system for malicious ransomware software. Following delivery, the malicious software obstructs a law firm’s users from gaining access to sensitive client files and law firm data. Then, it demands the firm pay a ransom in order to get the files back. Every year, cybercriminals become more adept at their trade and more physically harmful to the networks they attack.
Court systems are not immune to these attacks, either. In 2019, malware attacked the Philadelphia court’s online system. The court had to take its website down and had to offline the document filings system and email servers. The court was offline for weeks.
Cybercrime is Big business
Big business for hackers, that is. CyberCrime Magazine says that global cybercrime damages are expected to exceed $6 trillion annually by 2021, an increase of $3 trillion in only 6 years. And experts expect that spending on cybersecurity products and services will reach a global total of $1 trillion dollars for 2017-2021.
Law firms attract Ransomware attacks
Law firms are particularly susceptible to ransomware attacks. Law firms keep remarkable amounts of personal, sensitive, and confidential information which is valuable to cybercriminals. Law firms still keep some sensitive data in paper files. They keep a lot of sensitive data in digital form on their networks. Ransomware attacks that cut-off access to network files can disrupt the law firm’s practice; however, ransomware attacks that then distribute sensitive client information to the public (as the firm’s punishment for not paying the ransom demanded) have devastating results. The loss of access to client information may be short-lived or an enduring loss. The ransomware attack may result in financial distress for the firm and it potentially can destroy a firm’s reputation.
The Official ABA Position
The American Bar Association (ABA) acknowledges that law firms are high-value targets for cyber hackers. ABA issued Formal Opinion 483 to emphasize that it is a lawyer’s professional responsibility and duty to notify clients of a data breach or cyberattack on the firm’s network. It is incumbent upon each lawyer to understand how the Rules of Professional Responsibility come into play in these types of attacks.
Measures Law Firms Can Take
Here are some proactive steps lawyers can take to make sure their networks are secure.
Update and patch all software revisions promptly
This may seem like a simple fix – and it is. Remember, however, that hackers constantly upgrade their attack skills, revamp their intrusion techniques, and identify vulnerabilities to exploit. To counter those assaults, software companies work hard to eliminate vulnerabilities as soon as they are discovered. Law firms that fail to update software and/or install patches when distributed invite malicious software to obtain a preventable foothold in their network.
Review a cloud-hosting provider’s security measures
For instance, ask a prospective cloud platform host whether the provider’s technology satisfies HIPAA compliance requirements. It’s important to ascertain whether the provider’s electronic data system protects clients’ private health information. Cybercriminals love to steal health information to perpetrate fraud and identity theft.
Include cybersecurity compliance as part of the contractual obligations spelled out in the contract between the law firm and the cloud host. It is common practice these days to require certification that the cloud host will maintain the confidentiality and privacy of the firm’s information stored on its site. The certification takes the form of a third-party accountant’s declaration that the provider’s system complies with AICPA’s Service Organization Control (SOC)1 and 2 compliance standards.
Make sure the cloud host requires 2FA, two-factor authentication, for anyone accessing the firm’s network and data stores. Require the law firm to use 2FA for access to its internal network as well. Also, inquire whether the hosting platform supports biometric authentication based on fingerprints or facial/retina scanning.
Choose a cloud platform that will encrypt your data before moving it from one system to another and also while storing data. In addition, it is wise to require email encryption for sensitive documents sent over the internet to clients. Alternatively, affix secure passwords documents to restrict access and protect the documents. And, train all staff that they must not include the password in the body of the transmitting email. Rather, provide the password in a phone call or text message.
Train Your Staff
Eliminate the human factor: Train, train, and then train your staff again. It’s important that all staff – attorneys, paralegals, support staff – grasp the significance of the cybersecurity world we live in and the magnitude of potential threats that cybercrime poses. As mentioned earlier, phishing scams are themselves a serious issue for all computer users but they also become part of the ransomware landscape, too. Teach staff not to open emails from unknown sources or unexpected emails even if from a known source. And that prohibition applies above all to emails with attachments, especially Microsoft document attachments.
password management tools
Consider adopting password management tools. Today’s lawyers and even their staffs use multiple internet-connected devices. They go to many password-protected websites and use various networks. Keeping passwords to all of those connections in memory is a cyber nightmare. A password manager is exactly what it sounds like: it helps manage multiple passwords. It works by generating strong, random passwords and rotates them on a periodic basis. The password manager also discourages users from using the same passwords on multiple sites, something most people like to do for simpicity’s sake. Password managers can retrieve passwords and save them to a database.
Other Steps to Take
- Audit your firm’s cybersecurity. Have an independent, third-party vendor appraise your network’s information security and make recommendations that will make it more secure.
- Limit network access. Limit the users who have access to your network and restrict their access to “need-to-know” areas. In addition, restrict the right to install programs to IT and system administrators.
- Secure endpoints, networks, and all internet connections.
- Create a backup system either off-site or on a separate external drive. Make sure the system backs up automatically or assign someone the responsibility to make the backups every day.
- Use software firewalls. Developers create software firewalls to protect computers and networks by blocking specific programs from sending/receiving information from the internet or from a local network. They are the sentinels at your network’s door.
- Carry out penetration tests to detect vulnerabilities and detect breaches. Sometimes called a pentest, this is a technique IT heroes use to find vulnerabilities before hackers identify them. It can also help detect breaches.
- Adopt incident response protocols. Know the steps to be taken in the event of a breach, including determining the extent of the breach and the matter affected.
- Create protocols for quarantine of malware and ultimately the destruction of the malware intruder.
- Designate team members who will serve on the incident response team. Design the call protocol to follow to let team members and clients know about breaches.
- Regularly re-evaluate the network’s information security.
To read more about protecting law firms from cybercrime, read the June 2019 article from legalreader.com entitled “How to Prevent Cybersecurity Risks at Law Firms in 2019“.
If you would like to learn how to deep clean your firm’s computers by erasing documents so that no one can recover them, check the Shred Cube. We will be happy to answer all your questions about deep cleaning your hard drives and your network.