Editor’s Note: This post originally appeared on Attorney at Work on January 29, 2016. Reprinted with permission. See below for information about ordering Colorado CLE’s homestudy for our program, “Data Privacy & Information Security: Meeting the Challenges of this Complex and Evolving Area of the Law.”
By Sharon Nelson and John Simek
There are lots of cybersecurity worries to give you the willies in the wee hours of the morning, but we were asked to pick five. So here are some of the most common threats for lawyers to keep in mind.
1. Ransomware. We continue to see law firms struck by ransomware, which is a type of malware that encrypts your data (restricting your access to it) and then demands a ransom payment — usually in bitcoins — to get your data back. Training your employees not to click on suspicious attachments or links in email will help. They should stay away from suspicious sites as well since ransomware can be installed by just “driving by” an infected website.
Overwhelmingly, from a technological standpoint, you can defeat ransomware by having a backup that is immune to it. This can mean, particularly for solo lawyers, that you back up and then disconnect the backup from the network. For others, it means running an agent-based backup system rather than one that uses drive letters. Make sure your IT consultant has your backup engineered so that backups are protected — that way, even if you are attacked with ransomware, you can thumb your nose at the thief’s demands for money because you can restore your system from your backup. Of course, this means backups need to be made frequently to avoid any significant data loss.
2. Employees. Employees are by nature rogues. Every study made shows employees will ignore policies (assuming they exist) to do what they want to do. This often means people bring their own devices (BYOD) which may be infected when they connect to your network. They may also bring their own network (BYON) or bring their own cloud (BYOC). Certainly, your policies should disallow these practices (in our judgment) or, at least, manage the risks by controlling what it is done by implementing a combination of policies and technology.
Oh, and employees steal your data or leave it on flash drives or their home devices, too. This means you have “dark data” — data you don’t know about and over which you have no control. This means you may miss data required in discovery because you don’t know it exists. Your data may not be protected in compliance with federal or state laws and regulations. And you have no way to manage the data because you don’t know it is there. Once again, a combination of policies and technology should be in place to prevent these issues.
3. Targeted phishing. This is perhaps the greatest and most successful threat to law firm data. Someone has you in their sights — often they have done research on your law firm. They may know the cases you are involved in — and who your opponents are. They may know the managing partner’s nickname. Everything they know about you, they may use to get you to click on something (say, an email from an opponent referencing a specific case and saying “The next hearing in ___ case has been rescheduled as per the attachment). Many a lawyer has clicked on such attachments — or a link within an email.
The best solution to protect yourself from targeted phishing is training and more training — endlessly. One California firm was targeted by multiple phishing attacks but survived them because the lawyers and staff who received such emails questioned their authenticity.
Forget the loss of billable time. The loss of money, time and even clients due to a data breach can be far worse.
4. Interception of confidential information. Start with the proposition that everyone wants your data, including cybercriminals, hackers and nation states (including our own). Frankly, if they want your data and they have sophisticated tools, they will get it. So shame on you if you are not employing encryption (which is now cheap and easy) to protect confidential data transmitted and received via voice, text, and email. Encryption today is a law firm’s best friend. You may choose to use it always or in cases where it is warranted — but you surely should have the capability of encrypting.
5. Failure to use technology to enforce passwords policies. First, let us say that you should use multi-factor authentication where available and use it to protect sensitive data. But failing that, we recognize that passwords are still king in solo practices and small to midsize firms. Therefore, have your IT consultant assist you in setting up policies that can be enforced by technology, requiring that network passwords be changed every 30 days, not reused for an extended period of time — and mandating strong passwords (14 or more characters in length, utilizing upper- and lowercase letters, numbers and symbols). Passphrases are best. Iloveattorneyatwork2016! would do nicely.
There are many other “willies” out there, but address them one digestible chunk at a time!