Security is the number one anxiety for law firm management. After visiting with numerous law firms spanning the East coast over the past month, the anecdotal evidence is rich. These independent accounts from large- and medium-sized law firms alike reaffirm the data presented in the recently released American Bar Association’s 2015 Legal Technology Survey. Cybersecurity occupies a significant portion of firms’ time and creates many sleepless nights.
While law firms clamp down on every possible aspect of the business that can be affected, increasingly this is becoming a monumental task. The points of network compromise are many and the attack forms are varied. Alas, a single successful breach of a firm’s walled garden can be devastating. As the Legal Tech Survey outlines, the nefarious do not discriminate based on the size of the firm. As identified by the chart below, most types of firms experienced an increase in breaches from last year to this year.
Two main types of breaches seem to be on the rise. The first is a variant on what most of us have experienced. Phishing attacks are a sloppy or poorly written email asking you to click on a link to a random bank perhaps called “United States Bank” in order to change your password. Clearly this was an unsophisticated attempt to gather your credentials. This has evolved many-fold recently. Now law firms are witnessing real pinpointed threats via spear-phishing attacks. In this scenario, a partner at your firm is targeted. The thief completes research from simple online searches; the firm the partner works for (Mayberry Law), their practice area (Automotive), perhaps cases they work on (Gomer Pyle v Barny Barney Fife), location (Mt Airy, NC) personal interests (baking pies) and perhaps outside activities (playing the guitar at the community center). With all of this data gathered someone can craft a directed email for your partner. For example:
“Hi Mr. Taylor,
My wife and I saw you playing your guitar the other night at the community center. Your folksy rifts were the bees’ knees! So we also ran into your Aunt Bee down at Gomer’s gas station and we wanted to ask if you could help out with a bake sale that we are having soon for Opie’s school. Please be so kind as to check out the fundraiser we are having located here” Thanks! Otis Campbell”
The sense almost any logical individual would surmise from this email — even if they may not recognize the name of the person or clearly remember the events around it — is that they must know the person. As a result, the likelihood of a partner or anyone else clicking on the malicious link is exceedingly high. This came up with each firm with whom I spoke as a tactic they are encountering which turns out to be a very effective way to compromise a network.
The other threat law firms are encountering is ransomware. In this scenario someone at the firm clicks on a malicious link and it executes code on their machine. That code first encrypts their hard drive and then begins to do the same across the network. This means you lose all access to your machine to do anything. The hacker then delivers popup messages freeing up those locked down hard drives for a fee. The two avenues to recover; erase the drive and restore from a backup or pay that fee to the hacker via Bitcoin. In my conversations I have heard this happen to a few organizations which unfortunately had not sufficiently backed up their drives. Thus they unfortunately had to pony up $10,000 or so to restore their data.
As the ABA’s Legal Tech Survey data cites, there is little question that breaches are rising. As a result, cyber insurance policies are garnering more attention to assist on the back-end of these attacks. Nonetheless, the continued focus remains on keeping the bad guys out. Most CIOs I have spoken with continue to focus on each aspect of the famed trifecta: the people, process and technology of cybersecurity. The heavy emphasis is on their people, assuring they do the right things; e.g. not clicking on malicious links. The other main thrust of three is the technology facet, assuring that each firm ramps up the deep-level monitoring of their own networks. There seems to be little doubt the industry is still combating a force that continues to gain strength while law firms spend increasingly more resources to keep their own and their clients’ data safe.