Cyber crime and hacking seem to be featured in the news more often than ever in this technological era, and many legal professionals wonder how they can protect their firms from attacks and breaches of security.
The Record reached out to Joe Marquette, a cyber security expert in Cleveland with Accellis Technology Group Inc. to get the scoop on best practices.
Marquette discussed some of vulnerabilities in IT structures and data practices that attorneys and those in the legal field face.
"Each and every law firm faces a unique cybersecurity threat profile that, in turn, requires a unique defensive posture," Marquette said in an email.
"Creating the ideal defensive posture first requires an understanding of the motives of today’s cybercriminal. Those motives can be easily broken up into three distinct categories – financial, data, and access. ‘Financial’ involves either extortion (ransomware) or direct theft of money through the theft of network credentials and transferring funds directly out of the firm’s accounts. ‘Data’ is the act of stealing data from the firm that may have value elsewhere. This includes client data and the firm’s employees’ personal data. The last category, ‘Access’, is where criminals leverage an unsecure network to attack a different company altogether."
Marquette said once one understands how criminals view the firm as a target, management can begin to build the proper defenses based on their biggest vulnerabilities.
"The type of law the firm practices will often drive this part of the process," Marquette said. "If you’re a firm transferring large amounts of cash on a regular basis, a criminal may be able to steal a substantial amount of money before anyone knows it. If you’re a firm working in publicly traded companies, your risk of data exposure for the purpose of insider trading may be most critical. If you’re a general practitioner, your biggest risk may be ransomware. Whatever your situation, understanding what your most sensitive information is and where it resides is a critical first step in thwarting a potential breach."
Marquette explained what measures should be taken, specifically. There are several fundamental cybersecurity measures every firm should employ.
"First, the use of complex and unique passwords is a must," Marquette said. "Then you must require those passwords to be changed from time to time. You also must do all you can to keep your network up to date with software updates and patches. Ideally, you’ll have an IT partner that can run a process called a vulnerability scan on a regular basis to ensure all known risks have been properly patched. All mobile devices should require a password longer than four characters. Thumbprint readers are convenient but might be avoided as they fall under different rules regarding the Fifth Amendment and a court’s ability to compel someone to unlock a phone through fingerprints, while PIN codes are still off limits. When connecting to your network from outside the office (or any time you’re connecting through the cloud), leverage multifactor authentication for logging in. Lastly, and most importantly, educate your team on the risks of cybercrime and the procedures they are expected to follow if anything suspicious occurs. Firm employees represent what we call the ‘cyber-militia’ and are still the most important defensive tool the firm has at its disposal."
What are the trends? Are attorneys getting better or worse at dealing with the problems of cybersecurity and specifically awareness?
Marquette talked about how legal professionals are similar to other types of businesses when it comes to cybersecurity attitudes. This may be a clue to why a breach like the one that lead to the Panama Papers revelations could happen more easily than many think.
"Too many firms still say things like ‘this doesn’t apply to us’ or ‘we’re not really a target’ or the best one of all … ’we don’t have any important data that someone would want to steal’, Marquette said. "Wrong. Criminals don’t even need to know what they’re stealing in order to target you. Many criminals are using a technique we call ‘farming’ where they gather all the information they can in the hopes that it might be useful. They might simply hold that data ransom (through encryption) or worse, hold it ransom and threaten to publish everything they gathered if you don’t pay them. Awareness is rising but for many of these firms, the risks are not truly understood."
Other firms have witnessed the results from unprepared companies. Marquette said those firms are working to take all the reasonable measures to protect the firm and their clients’ data.
"The biggest issue many face is the reality that better security measures often require more ‘hoops’ to jump through while trying to simply do their job," Marquette said. "As many team members are very ensconced in their daily routines, they resist security measures that can disrupt those routines. The result is what’s sometimes called ‘shadow IT’. Shadow IT are those resources at a firm who develop work-arounds for the very measures the IT department employs to properly secure data. Recognizing the possible impact to workflow and then training the team on how to deal with them can be a big factor in the overall success of a security program."
Marquette said firms today know the risks but many are unsure of what to do to stay ahead of the criminals, spies and scammers.
"Overall, the majority of firms we see today rank cybersecurity as one of their top priorities," Marquette said. "They realize this is a risk to their business and they need to do something about it. Most, particularly the small and midsized firms, are just unsure of where to start."
How vulnerable is data on phones? Marquette said very.
"Ironically, mobile devices have not yet made headlines in regards to data breaches," Marquette said. "This is likely because there are many easier ways to attack a firm than through a mobile device and criminals continue to focus on those higher success attack vectors. That said, securing phones and phone data should be a very high priority for every law firm."
Marquette said there are three critical considerations for mobile device vulnerability and security.
"First, how do you access the internet when you use it?," Marquette said. "Unsecured wireless access points in public places like the airport are easy targets for someone wanting to scrape information from your phone. Avoid them if at all possible. Second, what information will the firm allow to be kept and stored on the phone? Client data? Personal data? If you’re maintaining client data on that phone and it’s lost, it should be considered a breach. However, the third key consideration can mitigate that risk. Mobile device management, or MDM, is a software tool that can control what information is stored on the phone and then, if the phone is lost or stolen, it can be selectively cleaned of sensitive data or wiped completely. So while mobile devices have not yet made the news, they definitely do represent a substantial exposure but can be effectively managed through proper policies and security tools."