Detect and Respond: Steering Your Firm Through Cyberthreats
“Cybersecurity: This Way There Be Dragons!” was the title of the 2018 College of Law Practice Management Futures Conference, held in Boston last week. This reference to the medieval practice of drawing mythical beasts on uncharted areas of a map couldn’t be more appropriate. Over and over, speakers described cybersecurity as a moving target owing to the constantly evolving nature of cyberthreats. The first panel aptly quoted computer security expert Bruce Schneier:
“You can’t defend. You can’t prevent. The only thing you can do is detect and respond.”
“Detect and respond” was a major theme throughout the two-day conference. Gone are the days of the individual hacker. Hacking networks now span far and wide. These hacking rings are often sophisticated and well funded.
And hacking attempts are increasing. Nearly 1 in every 100 emails is reportedly a hacking attempt, and 90 percent of those attempts involve social engineering (impersonation with the goal to steal data or install malware in the future). So, it should come as no surprise that when asked, nearly every audience member indicated they had knowledge of a law firm or organizational cyberbreach. In fact, we have data to support this: In results from the 2017 ABA Legal Tech Report, 22 percent of responding law firms had suffered a breach. More than ever, it is imperative that attorneys and law firms remain vigilant.
Here are my conference takeaways aimed at helping to detect, respond and mitigate cyberthreats.
1. Law Firms Are Not Immune to Cyberbreaches
All the data suggest that law firms are, in fact, targeted due to the potentially vast amounts of sensitive data in their care. Major law firms such as DLA Piper, Cravath, and Weil Gotshal have suffered breaches that put their practices in the spotlight.
Of note, speakers mentioned a trendy law firm scam involving gift cards. The hacker either spoofs or gains access to a law firm partner’s email address. The “partner” then emails a staff member with directions to buy hundreds of dollars’ worth of gift cards. The “partner” then instructs the staff member to transmit the serial number on the gift cards via email. The hacker can then sell these serial numbers for virtual currency or cash. Because this is a cash transaction, it is not recorded and is difficult to track, report and stop.
2. Essential Precautions
What can your law firm do?
First, if you haven’t already, ensure that you are using strong unique passwords. Rather than affixing them to the side of your computer with sticky notes, store them in a password manager such as 1Password or LastPass.
Second, update your systems on a regular basis and ensure that you take additional steps if necessary. For example, this Windows article references a subsequent configuration change recommendedbeyond the regular Window’s update.
Third, two-factor authentication should be used whenever and wherever possible. Google has its own authentication app, Google Authentication, but you can also use apps such as Authy, which aggregates two-factor codes for multiple applications. As noted by speakers, two-factor authentication, particularly when using it with text messaging, is not 100 percent impenetrable. Expect to see advancement in methods that don’t involve passwords, similar to Apple Face ID and fingerprint recognition, which will help lower barriers to using secure methods.
3. Build a Culture of Security
Over and over, speakers pointed out the “human problem.” In any organization, including law firms, the greatest security threat is the people. Firms must work to “build a culture of security” to decrease cybersecurity risks in these ways:
Teach people how their actions apply and impact everyone else in the firm.
Conduct regular awareness training and make it fun. (For example, use gamification when conducting phishing tests by giving a prize to the first employees to identify the phishing email.)
Use real-life examples in training. During the course of it, empower employees to come forward without shame, and to learn from mistakes.
Reward good behavior and adherence to security protocols.
Do not exempt leaders from participating in training. Rather, encourage leaders to model good behavior.
4. Resources for Your Firm
Guest speaker FBI Special Agent Timothy Russell echoed other speakers in saying the best you can hope for in the current landscape is to “detect and mitigate.” Russell encouraged attendees to work with the FBI to help law firms into a better defensive posture and suggested that it would not necessarily result in an investigation. To provide awareness, Russell encouraged using the government’s website, IC3, to report scams. Later in the day, John Simek, Vice President of Sensei Enterprises, suggested joining the FBI’s public-private partnership program, InfraGard, to receive information regarding known cyberthreats.
If you need advice on how to conduct employee awareness training, the American Bar Association has an on-point CLE, here. This topic was also addressed by Sharon Nelson, President of Sensei Enterprises, and Jody Westby, CEO of Global Cyber Risk, at ABA TECHSHOW 2018.
Finally, to end on a more worrisome note, speakers mentioned this site, Shodan.io, known as “Google for hackers.” It provides information about internet-connected devices, including IP addresses, location details and more. When I briefly investigated the site, I discovered a top voted search on “default passwords” resulting in IP addresses and router configurations, as well as default passwords, location and more.
As emphasized throughout the conference, law firms must think about how to detect threats and respond to them. This will necessitate investment in cyberattack prevention, detection, mitigation and response. At a minimum, firms should have policies and processes in place addressing cybersecurity, training and awareness programs for employees, and disaster response and recovery plans. The time is now — don’t wait until it’s too late!