Defense attorney Steven Puiszis instructed fellow litigators on how to tighten up cyber security in their firms, noting that law firms are a popular target for hackers.
Puiszis of Hinshaw Culbertson in Chicago presented on cyber security at the Illinois Associate of Defense Trial Council's Perspectives, Predictions & Pointers seminar on Sept. 29 at Busch Stadium in St. Louis.
He explained that when hackers can’t get through the fire wall of a business, they turn their attention to the law firms representing them.
“Our security defenses are weaker than our clients,” he said.
He called today’s online attacks a “cyber war,” saying businesses get hit with a new piece of malware every four seconds.
In fact, cyber crime is turning into a business.
“Hackers are actually selling malware to other hackers,” he said.
He added that 23 states have adopted a duty of technology competence, meaning firms are responsible for protecting their clients information from hackers.
So if firms make mistakes, “it’s going to come back to haunt us.”
He warned attorneys present at the conference that the way to get into a firm’s computers in through the attorneys themselves.
“Data breaches are typically the result of human error” instead of hacking, Puiszis said.
About 23 percent of employees who receive phishing emails end up opening them.
He added that it typically takes about 210 days before someone knows they’ve opened a phishing email. They are typically notified of the breach by law enforcement, who monitors the networks to see what information is being sold.
Puiszis said the average cost of a single data breach is approaching $5 billion.
“The fines that can be imposed are astronomical,” he said.
For example, he said a firm was hit with a $1.2 million fine when two computers were stolen and weren’t password protected.
“The smaller the device is, the easier it is to set it down or set it aside and forget about it,” they said.
One popular hacking method is through a cryptolocker, or ransomware, where hackers get in and encrypt documents and information. Then they send a note promising to send a key to the encryption in exchange for money. They essentially hold information ransom.
Puiszis said about 93 percent of phishing emails contain ransomware, which is on pace to become a $1 billion crime business this year by itself.
He added that hackers are getting creative. In one case, some hackers were having trouble getting through a firm’s firewall, so they attached malware on a local restaurant’s online menu and got in when employee’s ordered take-out.
Hackers also use something called “soft targeting,” where they pretend to be a law student with an attached resume, but the attachment is actually malware.
Puiszis said criminals will also pretend to be a company CEO or executive and ask for sensitive information, which is called a “whaling exploit.”
He also explained that one firm fell victim to hackers by using a fake public wifi network. The attorney tethered to the wifi, thinking it was legitimate, and a hacker was able to monitor his email. He ended up receiving alternate instructions for transferring a settlement. The attorney thought the instructions were coming from the other party, but they were coming from the hacker.
Puiszis gave attorneys 10 ways to recognize a phishing email:
1. Poor spelling and grammar
2. Offers too good to be true
3. Threat to take action if you don’t respond
4. Reference to a transaction you did not make or action you did not take
5. Requests for personal information
6. Mismatched URL embedded in the email text
7. Variation on domain of a known website
8. If it’s from a person or company you do know but aren’t expecting something from them
9. Emails from a government agency
10. Emails with warnings about a photo of you or suspicious transaction or promises of a prize or refund.