Who is hacking into law firms?
Are you at risk?
How do security breaches happen?
How to protect your data
The downside of smartphones
Planning for a breach
At the law offices of Florrick, Agos & Lockhart, partner Diane Lockhart opens an email from a colleague and clicks on a link. As soon as she does, all the computers in the office go dark and a message pops up on Diane’s screen: she has 72 hours to pay $50,000 or all of the files on the company’s network will be deleted. The partners have no choice. If they report the ransomware to the police, they risk losing their clients and suffering irreparable damage to their reputation. They have to pay up.
The law offices of Florrick, Agos & Lockhart are fictional and the scenario was a recent episode of the TV show The Good Wife. But the threat of ransomware is not fictional (although the ransom requested is usually less than $1,000). In a recent survey of security professionals, ransomware ranked as their number one concern. And according to John Simek, Vice-President of Sensei Enterprises, Inc. an information technology, digital forensics, and information security firm located in Fairfax, VA, the concern is warranted.
“The threat of ransomware is huge,” says Simek. “Cryptolocker has infected many law firms. It encrypts the data on your machine and any other data that might reside on something that presents itself as a drive, making it inaccessible to you. A note pops up asking for a ransom in exchange for access. Usually a clock ticks down for you to pay the ransom. When you pay, you get the encryption key.” Usually. There are no guarantees.
Ransomware was just one of the several cyber threats facing law firms discussed in the recent Law Office Manager webinar, “How to Protect Your Law Practice against Costly & Destructive Cyber Attack” presented by Simek and lawyer Sharon Nelson, President of Sensei Enterprises, Inc.
Nelson, who serves on many legal technology and digital forensic committees including the ABA Cybersecurity Legal Task Force and the ABA Standing Committee on Technology and Information Services, recently co-authored with Simek and litigator Dave Ries, “Locked Down: Information Security for Lawyers.”
According to Nelson, spearfishing, a targeted form of attack, is the most successful way of attacking a law firm. The attacker does a little research, perhaps spoofs the email of a partner, which would take five minutes, and sends it to an associate saying something logical using the associate’s name, such as “Jane, please look at this pleading for me.” Associate Jane thinks the request came from the partner, opens the attachment, and malware is downloaded.
Who is hacking into law firms? |
Back to list |
According to the 2014 Verizon Data Breach report, 60% of the threats are from cybercriminals anywhere in the world, 25% is industrial espionage from state-sponsored hackers, such as Russia, China, and the United Sates, and 8% is from insider breaches.
“More than a year ago,” says Nelson, “I was on the ABA Cybersecurity Legal Task Force that was in the process of drafting a resolution to go before the ABA House of Delegates which would call for a prevention of intrusion into lawyers’ networks by foreign governments. Well, Edward Snowden’s revelations caused us to remove the word ‘foreign.'”
The NSA (National Security Agency) and the ethical implications of its surveillance of law firms is a webinar presentation on its own, but at the time of Snowden’s revelation, the NSA had information on how to infiltrate 70% of cellular network providers. Says Nelson, “They had compromised the email accounts of executives within the major cellular carriers to gather information and to weaken encryptions of cell phone carriers, giving them easy access—and therefore the casual cybercriminal has easy access, too.”
Are you at risk? |
Back to list |
Yes. According to the FBI, hundreds of law firms have been breached. “It’s often the FBI who notifies the firm of the breach,” says Nelson. “But a firm has usually been breached for more than eight months before they hear about it.”
“The FBI is usually the source who notifies a firm of a breach,” says Nelson. “And once notified a firm then has to work with the FBI and digital forensic investigators. The FBI will ‘request’ law firms to take certain actions, and the cost to remediate and comply with data breach notification laws is expensive. And usually the average insurance policy a firm holds will not pay for any of this.”
You don’t have to be a large firm to be at risk either. Nelson tells of a two-lawyer firm in Alexandria, Virginia, which was attacked by the hacktivist group Anonymous. The group was upset about a client the firm had defended and so, in retaliation, they leaked the firm’s email. However, these emails contained sensitive details about other cases the firm was involved in, such as sexual assault charges and matters involving former Guantanamo Bay detainees. The leak was devastating for these clients. “Hacktivists don’t care about who they hurt,” says Nelson.
Another breach involved a married couple, two lawyers who worked at different firms. The husband suspected his wife was having an affair, so he got into her email account. It was pretty easy to do since her password was just her first initial and last name. But after going through his wife’s email, the husband learned that his suspicions were unfounded; she was not, in fact, cheating on him. So he moved on to accessing the partners’ emails. “The problem was,” says Nelson, “that his firm and the firm he was hacking were representing co-defendants with adverse interests in a case and now he had access to their strategy.” The lawyer was suspended for two years and later rehired by another firm.
How do security breaches happen? |
Back to list |
Breaches most frequently occur when firms fail to apply security patches or other critical updates. “Most firms rely on outside IT support,” says Simek, “and people assume that their IT people are doing what they’re supposed to be doing. That’s an incorrect assumption. Get documentation. You need competent reports that these are being updated.”
Another source of security breach Nelson blames on an affliction common among lawyers: sophophobia, the fear of learning new things. “Many lawyers simply don’t like to learn new software, especially if what they have still works. For example, many firms still have computers that are running Office XP, but it’s no longer supported and there are no longer security updates for it.”
Nelson stresses that if the software is not supported, you cannot use it anymore. “I’d submit that it’s unethical for lawyers to be using a piece of software that they know is unsupported. You have to upgrade and get those security updates.”
Employees are also a source of security breaches. While reports of insider attacks are declining, law firms still need to be diligent. For example, in September 2014, an internal breach was reported involving a senior IT employee who was found to be accessing merger and acquisition files on which the firm was advising. This was the second charge of insider trading the firm experienced in four years; the first instance was by an associate.
“After the first data breach, they should have gone full on with information security,” says Nelson. “Had the firm used DLP (data loss prevention software), it might have picked up the touching of sensitive files in the second case.”
How to protect your data |
Back to list |
You need to protect your data whether you’re storing it, sharing it, or sending it, which means you need to protect all data sources, including:
- Computers
- Smartphones
- Flash drives
- External hard drives
- Backup servers
- Voicemails
Protection #1: Encryption Your best defense is encryption. Data needs to be encrypted during transmission and as an object at rest. “Encryption is the strongest defense we have,” says Nelson. “It can’t be cracked by the NSA and presumably other state-sponsored groups or hackers. Develop a love for, instead of a fear of, encryption.”
“Redesign how you back-up your data,” says Simek. “Do not have it connected to your machine and do not designate a drive letter to it. Disconnect it from the machine and have it accessible only when you reconnect it. And make sure you’re encrypting your backups. It’s easy—as simple as checking a box, which prompts you for a passphrase or password for an encryption key.”
“There’s a law firm in Baltimore whose policy was to get their backup drive off-site every evening,” says Simek. “The office manager would take it home with her, via light rail. One day, the manager stepped off the train only to realize she’d left the drive on the seat beside her. She quickly turned around, ran back onto the train, but the back-up was gone. And it was not encrypted.”
Of course, there are many cloud services available for storing data, including Dropbox, MS OneDrive, Apple iCloud, Google Drive, and Box, for example.
“We have right now about 50% of lawyers using the cloud in some form and about 50% who say they don’t want to use the cloud because they’re concerned about losing control and the ethical implications,” says Nelson. “Now every state that has issued an opinion about cloud computing has said it is ethical to use it. If you take reasonable measures to ensure that data will be held securely, then you’re okay.”
“Let me use Dropbox as an example. So many attorneys just love Dropbox,” says Nelson. “As long as you encrypt the data before you send it to Dropbox, you control the master decryption key, so it’s fine to send stuff that way. But it’s not enough to just send it to Dropbox, because even though Dropbox says it holds the data encrypted—which it does—it also holds a master decryption key. So you cannot do that ethically, in my judgment.”
The same advice applies if you outsource your backup: make sure you have the ability to define the backup encryption key.
(Note: If you want to learn more about encryption, John Simek and Dave Ries’s book, “Encryption Made Simple for Lawyers” will be released in March 2015. They’ll also be presenting an ALI CLE and ABA TECHSHOW session on the subject.)
Protection #2: A strong password. Do you know what the number one password is in America? Bella. (In the UK, it’s Charlie.) Yes, people are still using their pet’s name for a password and it’s easy for the bad guys to figure out. They’ve also indexed all the words in the dictionary, so it won’t take a hacker any time at all to break a password that consists of one word.
“Until very recently, the recommended length of a password was 12 characters,” says Nelson. “But as they chain these super-computers together, they’ve improved their ability to crack passwords and now the recommended length is 14 characters.” Her advice? “Create a strong password. You want to make your house look harder to break into so the bad guys will go next door.”
Here’s what Nelson and Simek recommend your password contain:
- Letters, in both upper and lower case
- Numbers
- A special character
“One easy way to do this is to use some sort of a passphrase that you’ll remember,” says Nelson, “especially for sites that you go to frequently. Something like ‘IlovetheUSA2014!’ would work.”
Protection #3: Security software. “Make sure you have some sort of security software,” says Simek. “There used to be all these different tools that you needed for anti-virus, anti-spyware, etc., but now you want to use Internet suites.”
Nelson adds, “While you should try to keep the barbarians outside the gate, a determined hacker will get in. So you want a system that will detect when somebody’s inside.” Data loss prevention software (DLP) watches the anomalies, says Nelson. “It sees who touches what and whether sensitive files are accessed by someone who’s not authorized to access it. It also sees whether a large number of files are being accessed.”
The downside of smartphones |
Back to list |
“BYOD is a big thing right now,” says Simek. “It stands for ‘bring your own device’; I call it ‘bring your own disaster.’
Unless you’re actually controlling the security settings of your employee’s device, you can’t monitor security issues. They may have malware on their device; they hook to your network and now you have malware on your network.”
Simek and Nelson recommend that employers purchase the device and give it to employees and then you can do whatever you want with it, including remotely wipe it.
And remember that anything that synchronizes with your smartphone is a threat. “We use smartphones because we want that data with us,” says Simek. “We want contacts. We want calendars. We want email access. We want to get to attachments. We want all that jazz. But you have to make sure that you’re protecting that information because it could be—and probably is—confidential data. Anything that can connect to your network and take information off it is potentially putting your data at risk.”
Planning for a breach |
Back to list |
“It’s best to plan for a crisis,” says Nelson, “and that starts with familiarizing yourself with your state’s data breach laws. There are 46 data breach laws across the United States. In general, if you’ve got a breach, you have to report it. But the state laws vary widely in what they say you should do.”
Create an incident response team of lawyers, paralegals, and support staff. Look for anyone in your office who knows a different piece of your data pie. This is the team that will help you create and implement your incident response plan, which should include these steps:
- Call law enforcement.
- Call a data breach lawyer.
- Call a digital forensic company to investigate or mediate.
- Call your insurance company.
- Call a PR firm (if warranted).
- Go through all the duties called for in your state’s data breach notification laws.
You’ll need to identify what data and clients have been breached. You might be advised to watch the hack so that you can identify the hacker, see what’s been compromised, and what other means of access to your network they might have.
Based on your findings, you might need to notify or investigate third parties who may hold your data or have access to your network.
“These plans never even survive first contact with the enemy,” says Nelson, “but having a plan at all puts you ahead of other lawyers.”
It’s also a good idea to know now whether or not you’re insured. Generally, if your computers are stolen, your insurance will cover the costs to replace them. But it’s not the same if your data is stolen. Contact your insurer and verify that in the event of a breach you’re covered. The application may be about 25 pages long and the rider alone can be very expensive, but consider what it will cost the firm if your files are hacked and you need to comply with your state’s data breach notification laws.
Conclusion
“No matter what your communications are, they are potentially available for capture,” says Nelson. “And you need to take steps to protect that.”
This article touches on just some of the many great tips and strategies that Sharon Nelson and John Simek addressed in their webinar. Watch the presentation.
Related reading: | ||
Should you outsource your IT department? |
Here’s what you missed at the ILTA 2014 Conference |
8 pitfalls of letting law firm employees work from home |