Law firms are big targets for cyber criminals. The sheer volume of sensitive and confidential data held on law firm computers and servers makes them an enticing target for budding cybercriminals.
The consequences of a serious data breach extend far beyond just embarrassment — lose a client’s data to cybercrime attack, and you could be looking at serious legal and ethical violations as well.
It pays, therefore, to be very aware of the risks that are out there and the tactics that cybercriminals are using to get at law firm data. Cyber security threats are real and widespread, but can often be overcome by taking a few simple preventative steps.
Despite the wide range of specific attacks that a law firm might experience, the major cybercriminal acts against law firms can be broken down into just a few buckets.
The simplest threat to client information typically comes from “phishing scams” — that’s attempts, usually via email, to deceive staff into handing over information.
Phishing tactics range from simple email blasts sent to everyone in a firm purporting to be from the IT or HR departments and asking for information, like password details through to more highly targeted “spear phishing” attacks that use detailed information to pose as a specific real-life person within the firm.
Phishing attacks can often be tricky to identify, especially if the attacker has taken steps to mimic the usual appearance of internal emails. As with many cyber security issues, the human element is the weakest point. Be very skeptical of emails that ask for confidential information, especially passwords.
Example: 2011 attempted spear phishing attack on Gipson Hoffman & Pancione
“[In 2011, the firm] was representing CYBERsitter, a leading provider of blocking and filtering software programs, in a $2.2 billion lawsuit against Chinese computer firms and software makers and the Chinese government. Eleven email messages, known as spear-phishing (or Trojan) attacks, were sent to individuals at the firm. These emails appeared to be coming from other individuals within the firm, and each contained a link or attachment that, once selected, would download malware. The emails were sent days after the law firm filed the CYBERsitter lawsuit. The Gipson Hoffman & Pancione law firm claimed that the Trojan emails were linked to Chinese servers. Because technology-savvy attorneys recognized the emails as potentially compromising, the malware was not released.” (From the ABA)
Harmful software, sometimes also called malware, comes in many forms. The most common type of malware is the “Trojan horse” — a hidden piece of software that, once downloaded, can remain undetected and very difficult to remove with standard anti-virus tools.
The purpose of Trojan horse malware varies, but usually, their objective is either to obtain access to all your contacts and endlessly spam them or to steal information like passwords that can later be used to access systems.
The most alarming form of malware is referred to as “ransomware” — software that is setup to change passwords or otherwise restrict your access to your own systems and data. Ransomware therefore literally holds your data hostage in return for ransom money
The good news is that malware can only reach your computer if you install it. That means that you can take a few simple protective measures:
- Avoid using thumb drives or other unknown peripherals: USB sticks may come with preloaded malware. Avoid connecting them to your computer. If you must, make sure you have the most recent anti-virus software installed.
- Train staff to exercise caution when browsing the internet and, especially, clicking on links in emails from unknown sources. At a minimum, hover over links to double-check the address looks legitimate.
- Install antivirus and anti-malware software and keep it up to date.
- Make sure you backup your most critical data. Use removable media, like an external hard drive, and avoid plugging it into internet connected devices wherever possible.
Example: CryptoLocker attack
“The email from the bank looked innocent enough. It was from [email protected], and Sarah Flanders, a 35-year-old charity worker from north London, didn’t think twice about opening it. But the email contained software that immediately began encrypting every file on her computer – from precious family photos to private correspondence and work documents. In just a short time all her files were blocked, and then a frightening message flashed up on her screen: “Your personal files have been encrypted and you have 95 hours to pay us $300.” (From The Guardian)
Attempts by criminals to break directly into your computer systems are the third major area of cyber security risk.
At their simplest, hacking attacks involve either guessing (or more likely using software to guess) your password. As many people use highly guessable or formulaic passwords, such attacks are often very effective (here’s some advice for setting a password that can’t be easily hacked).
Unsecured public wifi (such as the wifi in your local library or coffee shop) offers another opportunity for hackers. Lisa Needham, writing in The Lawyerist, is pretty blunt about lawyers who use public wifi: “Put simply, you are not living up to your ethical obligations to a client if you are exposing their data to public wifi.” No wiggle room there.
Hacking via wifi generally involves redirecting data that’s being transmitted from your computer via the hacker’s computer, allowing them to collect it, store it, and (if you’re running encryption) de-encrypt it in their own time. Don’t use public wifi for anything work related.
Example: The ease of hacking over public wifi
Lawyerist editor, Sam Glover, demonstrated how easily a colleague’s computer could be hacked when connected to public wifi: “Sam spent about five minutes Googling things, then cut and pasted some commands into the Terminal app on his MacBook… In just a few minutes, he was able to see the websites I was visiting, the packets of information being transferred, and more. Sam assures me he is not an elite ninja hacker, just a savvy Google user. He also did not have the WiFi Pineapple or any other similar device at his disposal. The most cursory search turns up entire websites devoted to “testing” networks, where “testing” means “breaking into” or “hijacking entirely.” (From The Lawyerist)