October is Cyber Security Month!
In honor of October as Cyber Security Month, the MSI team would like to take an opportunity to profile some threats to specific industries. These threats have the potential to impact our friends and clients, and what better month to help them protect themselves?
According to the 2017 ABA Legal Technology Survey 22% of law firms were compromised or experienced data breaches in 2017.
Size is NOT a protection – 35% of the smaller law firms from 10-49 lawyers experienced attacks, as well as 33% of firms with 50-99 lawyers. This number does not, and cannot, include firms that may have experienced attacks or compromises that went undetected – or that were not detected at the time of the survey. So, there’s no such thing as too small to be a target for attackers.
And law firms can often be considered a target of opportunity. They’re generally not known as the most technically savvy entities – a recent incident response engagement disclosed the fact that our engineer needed a code for the copier, but the computers were unlocked with no password protection in place. Name recognition and their areas of specialty are crucial to their business – but this increased visibility makes it easier for potential attackers to develop malicious campaigns.
So what are the top threats, and how can law firms protect against them?
Threat: Phishing/malicious emails. Law offices are busy, bustling places – and often the matters that they are involved in are public knowledge. It’s quick and easy to send an email with an “updated” document – complete with electronic signature, an electric file transfer, or other method to capture information and credentials.
Protection: Speed is the goal of any law office – but it is also your enemy here. Create a culture where speed is important, but where it is also valid for your staff to say – wait. This is unusual, and I think we need to make sure this is valid before we proceed. Validate via phone, out of band email, or other mechanism. Employee education is also key here, and will allow your staff to dismiss the more obvious phishing emails and other areas of attack.
Threat: Compromised credentials – particularly web based email systems. An overwhelming majority of our recent incident response work as included a compromised email address or other account. These compromised credentials allow attackers access to your systems that a “drive by” attacker would not be able to accomplish.
Protection: Again, user education is key. Password reuse – particularly passwords that were obtained in various breaches – should be prohibited…and teach the WHY, not just the rule. Educate your staff on password complexity – Fall2019! will pass most complexity “checks”, and is low hanging fruit for attackers. Consider the use of a reputable password manager to allow complex, unique passwords. Enable multi-factor authentication wherever and whenever possible. The few extra seconds to confirm may protect any or all of your sensitive data.
Threat: Ransomware. This attack can come in via a phishing email, but can come in via physical avenues – an “updated” USB from a regular contact, etc. Once ransomware is in the environment, any or all of the firm’s data can be affected.
Protection: Paying the attacker may work, it may not – do not depend on this for your protection or remediation plan. The key protection here is twofold – the first avenue is backups. Perform regular backs of critical data, test them often, and store them in such a way that an attack on the network could not compromise or encrypt the backup files. And again – user education is key. Unexpected attachments or files should be considered suspect, and verified before accessing any of these items. Anti-virus programs can be of limited use here – but any protection is greater than zero. Deploy a quality anti-virus product, and ensure that it is updated regularly.
Threat: Data breach. This threat is the culmination of all of the previously listed threats. The attacker may use any or all of these mechanisms, in an attempt to liberate sensitive data that is in the hands of the firm.
Protection: Implement the protections discussed above. In addition, evaluate the physical security of the firm, as well as the footprint available to attackers. Is the office open when key front office staff is called away – or is out of the office during lunch, etc? Are computers password protected? Does the firm have a clean screen/clean desk policy – mandating that screens are locked, and confidential materials are stored securely when staff is away from their desk? Encrypt all laptops, mobile devices, and other equipment.
The biggest threat of all is…human nature. We’re all too busy to take these protections, right? And the password of your favorite sports team with your year of birth attached is complex enough, you’re sure. Multi-factor authentication adds a few extra seconds to your transaction! Insider threats fall into this area as well – are VPN, wireless, and other critical passwords changed after each employee departure…voluntary or not? Account access should be terminated, and account creation or elevation should be audited on a regular basis.
Make security a priority, make it part of your firm’s corporate culture…and it will become second nature. Your staff will become acclimated to operating in a secure fashion, and it will be more difficult for an attacker to get a foothold into your environment.
Questions, comments? What threats are you seeing to your firm and staff? I’d love to hear your thoughts – reach out. I’m on Twitter @TheTokenFemale, or lwallace@microsolved.com
If you would like to know more about MicroSolved or its services please send an e-mail to info@microsolved.com or visit microsolved.com.