By Jordan McQuown, CIO
Law firms today face more cyber security threats than ever before and the threat landscape is evolving rapidly. If you don’t understand where you are at risk and what to do about it, it’s nearly impossible to defend your clients’ data and your firm’s reputation. I want to help you understand where you are at risk right now by sharing my list of top 10 cyber security threats.
As the CIO of LOGICFORCE, I see law firms being subjected to a wide variety of cyber threats. Any one of these threats might cause irreparable damage to your law firm. Yet each one of these can also be addressed effectively with the right technologies and right approach. Here are my top 10 cyber security threats for law firms and what you can do about them.
TODAY’S TOP 10 CYBER SECURITY THREATS
In no particular order, here are today’s top 10 threats:
- Lack of Pervasive Security Mindset
- Security Issues With Third Party Providers And Cloud Systems
- Rogue Employees
- Nation-State Espionage
- Accidental Exposure By Well-Intentioned Employees
- Technology Obsolescence
- Password Management Being Weak Or Non-Existent
- Reduced Security Standards For Remote Workers
Let’s examine each of these in more detail.
LACK OF PERVASIVE SECURITY MINDSET
The number one cause of law firm cyber security breaches is not technical, but mental—a lack of a deeply ingrained security-oriented presence of mind. As The ABA Cybersecurity Handbook makes clear, lawyers and law firm management frequently do not prize cyber security and make it top of mind. If you are not aware of the very real and rapidly evolving threat landscape, it is unlikely you’ll institute proper security protocols and technologies.
It’s essential, then, to create, cultivate, and regularly reinforce a pervasive firm-wide security-oriented presence of mind. Firms that do not do so are automatically putting themselves and their clients at risk. The right approach here is to make ongoing security a part of everyone’s job, along the lines of manufacturing firms whose pervasive safety emphasis substantially decreases accidents. One great way to get started is by sharing this article with colleagues.
The number one cause of law firm cyber security breaches is not technical, but mental—a lack of a deeply ingrained security-oriented presence of mind.
SECURITY ISSUES WITH THIRD PARTY PROVIDERS AND CLOUD SYSTEMS
Many security issues that a law firm encounters today do not stem from their network or the behavior of their people. You have a high degree of control over those two. You often have far less control over, and far less visibility into, the people and networks of third-party providers. This is where you can unwittingly put your law firm at risk. What’s more, the risk might be much larger than you realize.
For example, you might be outsourcing eDiscovery services to a third-party firm. Even if you have a perfect security record, your firm is still on the hook if your third-party providers get hacked. This is just one area. Many mid-size law firms choose to outsource eDiscovery, IT services, digital forensics, high-volume printing and other services. If you are not absolutely sure how your client data is being managed by these providers, especially if you share files via the cloud, you could have a ticking time bomb in your organization.
Speaking of the cloud, insecure cloud sharing systems, such as DropBox, are a very real cyber security concern. U.S. Magistrate Judge Pamela Meade Sargent made a very clear ruling in February of 2017. She held that when a senior investigator for an insurance company uploaded video surveillance footage of a fire loss scene onto an internet-based electronic file-sharing website operated by Box, Inc., with insufficient password protection, this waived the insurance company’s privilege.
“In essence,” Sargent wrote, “Harleysville has conceded that its actions were the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it. It is hard to imagine an act … more contrary to protecting the confidentiality of information than to post that information to the world wide web.” An easy fix here is to unfailingly make use of more robust and security-oriented cloud transfer systems.
Ransomware is malicious software either loaded directly onto a computer or network or introduced when someone clicks on an attachment. Designed to hold an individual or firm hostage until a ransom is paid, ransomware has evolved considerably since its late 1990’s debut. Back then, after a computer had been infected, data would be encrypted and rendered inaccessible—potentially forever—until a ransom was paid.
More recently—after law firms learned to make real-time backups of their data—perpetrators have threatened to release sensitive firm data on the web for all to see. Even worse, cyber pirates offer potential collaborators turnkey systems for infecting computers, with the promise of a percentage payout of the amounted extorted. Someone who has a trusted relationship with members of your firm, or who otherwise has access to your computing environment, can introduce ransomware without having to write a single line of code on their own.
The “Panama Papers” refers to a leak of over ten million files from the database of Mossack Fonseca, a large offshore law firm. Usually, rogue employees are dissatisfied and on the verge of leaving a firm. With this exit mindset in place, they want a last shot at revenge or achieving some form of economic advantage, perhaps by stealing customer lists or intellectual property.
Rogue employees who are not technically sophisticated can do significant damage and those who are computer savvy can truly wreak havoc. It may be nearly impossible to tell which employees might turn rogue, but there are often warning signs, especially when a disaffected employee is set to shortly leave. Either way, watching disaffected employees carefully and limiting their access to confidential files can reduce your risk.
Hactivists are computer hackers who aim to promote a social or political cause, often by punishing those who assist individuals or causes they are opposed to, such as defense attorneys. Firms not in the news are usually not targets. But once hactivists find something they disagree with, they may rapidly target a law firm or particular attorneys both on a business and personal level. We’ve seen this several times now.
It’s much easier to defend against that which you can anticipate, as opposed to being caught completely off-guard. So, if your firm is involved in controversial public cases, I recommend that you proactively analyze activists groups who would have something to gain by hacking you. You want to understand their likely capabilities—so you can have a strategy in place ahead of time. Otherwise, you may find yourself in a hactivist’s crosshairs and not even know it.
Recently, a Russian hacker was detained for possessing confidential data—which he intended to leverage for financial gain—from 50 or so of the Am Law top 100 firms. Nation state espionage, which has become much more prevalent and notorious in recent years, is usually targeted at M&A-related information or the stealing of valuable Intellectual Property (IP).
These nation state or offshore hackers marry technical sophistication with an overweening desire to find out just what data your law firm possesses on behalf of its clients. They already have motive and means, so to deny them the opportunity to do great damage, they must occupy a prominent place in your recognized threat landscape.
ACCIDENTAL EXPOSURE BY WELL-INTENTIONED EMPLOYEES
Instead of being external and intentional, some of your biggest security threats may be internal and unintentional. Here are several examples that I see on a regular basis:
- Employees use the same password to manage multiple personal and business accounts.
- Staff click on unknown email attachments.
- An associate prints out an important document and leaves it on a coffee shop table.
- A partner logs onto insecure WIFI at the airport or hotel.
I provide some further explanations and guidance about how to address these security holes in the sections that follow. But the point I want to make here is simply this. Each of these examples are unintentional security gaps where team members are simply trying to do their job. They are not trying to be insecure.
The solution is proper training, good technology and developing a pervasive security mindset. It’s also wise to have protocols in place to address the consequences of such breaches. These protocols can greatly minimize any potential damage to your firm or clients.
One major reason why computer systems and networks become insecure is because the technology itself has become outdated. If your technology falls behind—if you don’t keep up with the technology component of the cyber security landscape—you immediately put your clients and firm at risk. Computers that are too old and should have been decommissioned long ago are frequently left in service, and it can become difficult or even impossible to properly secure them.
This holds for desktops, laptops, handhelds, firm wide severs and the machines running the security firewalls at the edge of your network. Cyber security is all about layers of technology optimized to work with each other to defend your data. If you are not keeping your technology ecosystem up-to-date, then you are making whatever security protocols are in place work twice as hard as they need to. Also, newer machines have built-in security systems that are inherently safer and easier to work with than older machines.
It’s also important to use proper decommissioning protocols when replacing aged systems. You don’t want to make it easy for people to get access to data that should have been wiped from systems you discarded.
PASSWORD MANAGEMENT BEING WEAK OR NON-EXISTENT
Password management is a relatively easy security hole to plug. Yet, I see many law firms who pay little attention to this area. To avoid damage from weak or non-existent password management systems, I recommend two approaches.
First, ensure that every employee is trained in the basics. This includes regularly changing passwords (most people use the same one or two passwords nearly everywhere), not leaving passwords around where people can find them, not leaving accessible computers unattended and not sending passwords home or elsewhere by unprotected email.
Second, use more robust password protocols and systems which require longer and more complex passwords. For instance, it takes hackers just one week to break an 8-character password these days. Even better, use two-factor authentication protocols. There are effective tools and systems that can help you manage passwords more securely, but if you aren’t aware that you need them and aren’t actively looking for them, you won’t find and deploy them. If you would like to know which tools I recommend, please email me to discuss your options.
REDUCED SECURITY STANDARDS FOR REMOTE WORKERS
Law firm IT departments often receive complaints that existing security protocols make it too difficult or cumbersome to work remotely. This can happen when an attorney takes a laptop home, dials into the office via a VPN, fires up an application on the internal network and then tries to work on files as if they were in the office. This will almost certainly be quite slow. It’s even worse if the attorney is trying to do this via Wi-Fi at a coffee shop.
All too often, such complaints result in turning off, relaxing permissions, or otherwise rendering security controls ineffective. Doing so leaves security gaps a mile wide, and is never worth the risk, regardless of how much easier it makes things. Fortunately, once you become aware of this threat, you can put in place secure remote and mobile platforms that are fast, easy to work with and quite safe.
All of the cyber security threats outlined here are completely manageable if you have at your disposal the right technology, the right approach, and the right training for your attorneys and other staff. To help you become a much more secure law firm, I’d like to recommend that you download our free eBook called Ten Strategies To Add Ten Million Dollars To Your Law Firm. The eBook contains a chapter dedicated solely to security and also several chapters address security concerns. If you liked the ideas in this article, you’ll love the eBook.