Cybercrime: Protecting Your Law Firm from the Inevitable by Ben Glass and John Pirkopf

Glass & Pirkopf | LAW OFFICE MANAGEMENT

Cybercrime: Protecting Your Law Firm from the Inevitable By Ben Glass and John Pirkopf

ata breach cases have made headlines in recent years, their breach protocol in the event the worst happens. But what Dfrom Yahoo to Marriot to Target to Equifax. While the really should that entail? This article addresses the most com- larger companies tend to attract more public attention, cyber- mon vulnerabilities in a law firm and best practices with crime does not discriminate, and more and more law firms respect to protecting both firm and client information. are impacted by the threat of or actual attacks. According to The Center for Strategic and International Studies (CSIS), the Law Firms and Cyber Security total global cost of cybercrime is closing in on $600 billion, There is more to securing a firm’s network and sensitive and this number is up from the 2014 estimate of $445 billion.1 data than a good password. Security needs to be built into Other estimates make that look conservative. According to Dr. the culture of your workplace. Increasingly, cyber criminals Michael McGuire, Senior Lecturer in Criminology at Surrey are employing clever and sophisticated methods to steal, University in England, the revenues of cybercrime have hit sabotage, or ransom firm data. Law firms are now being $1.5 Trillion annually.2 While this number is staggering in recognized by attackers as a sweet spot for attacks. This is and of itself, it is hard to comprehend exactly what that means due, in part, to the amount of highly sensitive data to which to a law firm. Breaking cybercrime down into distinct and firms have access. This combined with limited compliance specific categories sheds light on the gravity of these threats, regulations, variation in size and budget, and limited not only on industry specific levels, but personal, national employee training and knowledge, leads to an appealing and global levels. Globally, the study finds the following: target for cyber criminals. • $860 billion – Illicit/illegal online markets According to a recent ABA survey, 15% of law firms and • $500 billion – Theft of trade secrets/intellectual property about a quarter of firms with at least 100 attorneys have • $160 billion – Data trading fallen victim to a breach. This is not an anomaly. Other 8 • $1.6 billion – Crimeware-as-a-Service surveys support this. These numbers are growing. • $1 billion – Ransomware Unfortunately, only 61% of small businesses actually have a data security specialist, outsourced department, or internal Nationally, the US is easily the most attacked country in department, and only 34% review data security pol icies an- the world. In the fourth quarter of 2017 alone, the US suf- nually.9 In the same research, it was found that only 28% of 3 fered 238.6 million attacks. Actual data breached, stolen, small businesses actually have a data security policy, and of and exposed is estimated at 446.5 million records since those, only 14% actually have different levels of data access 4 2005. These numbers just continue to grow. While the privileges. The fact is that most workplace environments financial services industry may have been hit the hardest, do not discuss data security enough, though they should be 5 with an average cost of $18.28 Million per firm in 2017 , making it an integral part of their workplace culture. state ethics opinions, legal malpractice actions, and statistics make it clear that law firms are becoming a more While attacks are becoming more advanced and sophis- frequent point of attack. Fifty-eight percent of cyberattacks ticated, so too is the technology used to combat them. It is hit small businesses (defined as a business with less than a constant game of cat and mouse. The recommended pos- 250 employees), with the professional services industry ture information technology professionals take regarding being the third most attacked.6 And nearly a quarter of all attacks is not will we get attacked, but rather when. Threats law firms experienced a data breach in 2017.7 and threat protection are constantly evolving, but the biggest threat is one that is most often overlooked—the user. These statistics are alarming and hopefully cause law In order to address issues stemming from the user, it is firms to revisit their current security measures, as well as important that lawyers and law firm staff understand the

Colorado Trial Lawyers Association Trial Talk April/May 2019 31 LAW OFFICE MANAGEMENT | Glass & Pirkopf applicable termi nology, as well as prying eyes cannot see the data in fact they never had it to begin where problems most frequently occur without the key to the lock. The with. Phishing scams are very and the best ways to avoid the worst- key to the lock is held by the firm complex and often have fake web- case scenario. and generally locks and unlocks sites and phone numbers that appear data in the background without to be from legitimate vendors. Cybersecurity Vocabulary user interaction or with minimal • Ransomware: a devastating and Though lawyers are becoming more user interaction (username and relatively new subset of malware. sophisticated with respect to techno- password). Encryption can also be Ransomware is designed to make logical terminology, it is important—and used for malicious purposes. A your data unavailable until you pay in some states a requirement—that law - hacker, or IT savvy threatening the hackers. Ransomware enters yers be well-versed in security terms in third party, can encrypt your data your system through clicking on order to know what they have and what if it is not properly protected. This links in phishing scams, or visiting they should be doing in terms of pro- is especially worrisome because fraudulent or unsafe websites, or tecting their clients and their law encryption is very powerful. It is inserting infected media (USB firms. Some of the most industry a lock in which the key is very drive), and then encrypts all your specific parlance is provided here to difficult to copy or duplicate. files and folders. It can propagate better understand the issues and methods • Malware: generally, means bad to data in your workplace through of addressing them. software. Malware is designed to its network. Restoring your data • IT: refers to Information disrupt your computer operations from backups is often the only way Technology (your IT department, and your productivity, often in an to retrieve your data. Your last or outsourced IT). attempt to gain access to or exploit known good backup is often what • “The Cloud” or “Cloud-based”: your data. you are left with, so it is crucial refers to the location of data and • Virus: in an IT context, refers to that your backups work well and applications that are not housed bad software that is written to cor- work often. If there is no good internally. For instance, Dropbox rupt, or delete your data, but that backup, the only solution is to is a cloud application that houses also is written to self-propagate negotiate and pay the hackers for your files and folders in the cloud. throughout your network (designed the key to the encryption lock. This generally means that the data to go from computer to computer). Paying the hackers is negotiating with criminals and should be avoid- is stored in physical data centers • Spyware: refers to specific mal- ed at all costs as it rewards the (digital data storage facilities) ware that is designed to capture people, thus, perpetuating the crime. throughout the world that are net- your information (usernames, worked with redundancy in case passwords, browsing data, key - • Business Continuity and Disaster one of the data centers experiences strokes, even habits). Recovery: relatively new terms in a problem, attack, or failure. Office an IT sense. They refer to establish - • Phishing: a term that is derived 365 is a cloud application and email ing protocols and procedures in the from fishing. A phishing scam is a provider. The email application, case that your data is lost due to a situation where a hacker is posing storage, controls, and protocols for physical disaster, ransomware/virus as a colleague, or known safe en- email are stored in Microsoft’s data attack, or hardware failure. In this tity, in an attempt to retrieve your centers around the world. Lawyers scenario, it is important that there personal data (username, password, need to be aware of the terms of is a tested contingency plan in SSN, address, etc.). The hacker is service agreements with cloud- place. Often these terms get con- fishing for your data and acting as based programs to ensure the fused with having backups. A bait. Most of the time, this comes third-party’s security meets with backup is a copy of your data. A in the form of an email that looks the firm or state’s requirements. business continuity/disaster recovery like it is from a legitimate person plan contains your backups in an • Encryption: an IT term that gener- or entity but is not. The email could environment that is digitally ac- ally means “locked.” Encryption fraudulently appear to be from your cessible with the least amount of can be used for good or bad pur- bank, or your email provider, asking downtime or lost productivity poses. It is important that a firm you to confirm certain personal possible. Your IT department or out- encrypts or locks its data, so that information as a precaution, when sourced managed service provider

32 April/May 2019 Trial Talk Colorado Trial Lawyers Association Glass & Pirkopf | LAW OFFICE MANAGEMENT

should have this in place and test techniques, and facilitating conversations you are and preventing a hacker from it regularly. around these topics are steps law firms impersonating you. Of course, what this can take to reduce the risk. Below are refers to, in its simplest form, are pass- Human Error Factor some examples of processes, best- words. Credentials are integral to secure When addressing information sec ur- practices, techniques, and technology data access. This is a constant vulnera- ity, the biggest variables are more often to help mitigate risks and minimize bility. As computers get faster and more than not the users of the informa tion. downtime. powerful, they can crack increasingly The goal is to develop a security-centric complex passwords. Some basic re- The most important among them is culture in the workplace. Hackers know com mendations that can help provide developing a culture of awareness. It is that people are the easiest way to gain additional protection follow. access to a network. Technically savvy strongly recommended that a firm’s IT and non-technical people (people whose partners provide regular trainings for While biometric authentication is profession is not in the technology in- all members of the organization, which quickly evolving (think fingerprints dustry) are both at risk. Exploiting this means that senior partners down to and facial recognition), it is not always vulnerability is called social engineering, newly hired staff should all participate. practical to implement for all platforms. or social hacking. A social engineering This also means that security measures On the other hand, dual factor authenti- hacker relies on tricking a user to di- must be a part of any law firm’s on board- cation is quickly becoming the new norm vulge confidential information such as ing of new employees. By discussing the and adds significant security. The most usernames and passwords. This is done ideas presented here, firms can encourage common forms of dual-factor authenti- in various ways. Sometimes verbally, employees to integrate security into their cation use a person’s mobile device and where a person poses (either in person work routine. email account. In these scenarios, an IT professional configures access to a firm’s or over the phone) as someone on your Identity IT team; sometimes electronically data and network to require a code that The first principle addressed here is is sent to an individual’s phone via text (sending fraudulent emails phishing for identity—proving you are who you say information); and sometimes both. Once or to an email account. This code is a social hacker has access to your en vi- ronment, they may choose to lie dormant, monitoring communications, conver sa- tional email styles, organizational-specific protocols, and firm hierarchy. Once the hackers have a sense of the organization’s styles and protocols, they can exploit what they have learned for a bigger pay - load. This is done by slowly beginning a conversation, establishing trust, and finally striking. Without getting into specific anecdotes, it is not uncommon to see long-con approaches devastate businesses. According to IBM’s “2014 Cyber Security Intelligence Index,” 95% of cybersecurity breaches were due to human error.10 Educating Law Firms In a security-centric culture shift, law firms should assume that the chances of a successful social engineering attack will go down. Educating staff about these threats, dedicating IT resources to staying abreast of the ever-changing

Colorado Trial Lawyers Association Trial Talk April/May 2019 33 LAW OFFICE MANAGEMENT | Glass & Pirkopf ran domly generated and provides access technologies quickly, keep software to backups. The best backup solutions auditing for IT professionals when a updated and patched, and to respond allow firms to continue working in the breach is suspected. Consultants strong- when things change. However, this is case of an emergency. With the proper ly recommend dual factor authentication only one piece. It is also important to planning, in the case of a crisis, an en- as a relatively easy way to help shore nurture a culture of security. Most secur - tire law firm can be working off a up IT resources. ity breaches are the result of human error. backup network within an hour while Even the most sophisticated companies the professionals restore the original Passwords should also be longer. As are vulnerable to simple mistakes. It hap- network. In a scenario where the network one might assume, the longer the pass- pens. Just think about the redaction error is taken off line, proper planning can word, the harder for a computer to made by Paul Manafort’s attorneys, or keep a firm on track. figure it out. Likewise, the more time a the errant link John Podesta clicked, computer has to guess a password, the The landscape around preserving data leading to the compromise of his emails. greater the chance it will succeed. Thus, has become increasingly important and The fact is that mistakes happen. There- IT professionals also recommend long- sophisticated. When looking at direct fore, it is so important to have a plan for er passwords that users change regularly. and indirect costs, downtime for a firm when they do. IT professionals should Additionally, by changing passwords, compound quickly. Having a data back- recommend fostering a work culture in any passwords that have been previously up is critically important but having which employees feel comfortable ac- compromised will no longer be in use. access to that data in a meaningful way knowledging when they make a mistake is just as important. This is the reason Password sharing is a vulnerability. and have a plan for what to do when it a business continuity and disaster re- Not only does sharing passwords in - happens. Technology should help not covery is so important. A business crease the chances of an environment hurt. The best way to make this happen continuity solution provides a firm with being compromised, but it also makes is to recognize that people are the weak a “hot” replica of their systems, network, it harder to figure out what happened link and will make mistakes. If firms and most importantly data. This replica when it is compromised. If people share understand and plan for this, they will is always on standby, and a firm can ac - passwords, it is harder to tell from where save a lot of pain and money. Making cess the replica in the case of a disaster. a threat came. It is also best practice to decisions and planning before crisis hits These replicas can be onsite, offsite, or use different passwords for different will allow a firm to focus on resolving both, depending on the system. services. If a password is compromised, the problem rather than trying to figure not all of them are. Password hints and out what to do. Simple things, like having Antivirus challenge questions are also problematic. a communication plan, outlining emer- Good antivirus software is essential. With the rise of social media and our gency actions to take (when do you Antivirus software protects your work- increasingly digital lives, social hackers simply unplug a computer?), and having stations and servers from malicious are increasingly able to guess answers a good plan B are essential. When dis- programs. No antivirus software is going to challenge questions and password cussing a plan B, what firms should really to stop everything, but along with other hints. How hard is it to figure out some - be addressing is their backup system. tools, antivirus can identify and quar- one’s mother’s maiden name in the age Backups, Business Continuity and antine dangerous programs that find of Facebook? When asked to set up Disaster Recovery their way onto your network. Antivirus password hints or challenge questions, programs work in different ways. A Technical security is great, until nonsensical answers are recommended, traditional antivirus program would someone mistakenly clicks on a link, e.g. Question: “What’s your favorite look at a set of virus definitions (pro- inserts the wrong USB drive, or clicks sports team?” Answer: “I like pizza!” grams and code) and then scan a network on the wrong program. Because secur- By mining the internet, posing as other for the viruses. Newer antivirus programs ity is so tenuous, it essential to have an people, and monitoring behavior, hackers are looking at real time activity across action plan for when (not if) something can glean a ton of information that they the internet and scan for abnormal be- goes wrong. then use against their victims. havior. If an unknown program starts Update Software Backing up data can take many forms, proliferating on networks worldwide, from simple copies stored on a hard the program can begin blocking the Technology changes quickly. When drive, to cloud replicated copies that a program in real time within the law combating cyber criminals, speed is firm can access remotely. Business con - firm. Again, cyber security is a cat and important. It is important to adapt new tinuity is a key concept when it comes mouse game, and it is important to adapt

34 April/May 2019 Trial Talk Colorado Trial Lawyers Association Glass & Pirkopf | LAW OFFICE MANAGEMENT as things change. A law firm should be generations use technology differently. tablets and laptops are quickly replacing aware of the capabilities of its antivirus This can lead to a bit of a power inver- traditional workstations. There are a software and consider upgrading to in- sion. Senior partners are often older and number of major implications for IT tegrate these newer technologies. less technology savvy than younger em- security. First, mobile devices are easy ployees, who are new to law, but both to lose. If a lawyer’s devices are not Antimalware are equally as vulnerable to attack. While securely locked down, the information Antimalware software is different older generations may subject a firm to on them can end up in the wrong hands. from antivirus software in that it moni- an attack as a result of being unaware Additionally, the line between per- tors your network resources for abnormal of the danger, younger generations may sonal and work devices is becoming behavior and aims to arrest any programs subject a firm to an attack by becoming blurred. Many employees configure that are behaving abnormally. One of complacent. A security-centered culture their personal devices to connect to the most common types of malware should hold everyone to the same stand- work email accounts. While IT providers attacks is one in which the hacker ards, partners and staff alike. As mentioned can control security on work devices, encrypts a firm’s and then demands earlier, security evolves, and firms subject they do not have the same control over payment, usually in Bitcoin, in exchange themselves to greater risk by continuing employee personal devices. As a result, for a key to decrypt the data. Encryp- to do things the way they always have they have no control over the way these tion is a process and takes time. If you without acknowledging and addressing phones or configured or even whether have antimalware software on your these differences. computers, it should be able to detect it is password protected. Thus, it is es- such a process, stop it, and create alerts In the same vein, law firms cannot sential to have a workplace policy that letting the IT people know what is hap- simply set up the security system and clarifies what employees can and cannot pening. Likewise, if a malicious program expect it to be foolproof. They must do with work information on their de- is monitoring and reporting behavior inform employees of what exists, how vices. Are employees allowed or even on your network, antimalware software it works, and what the limits of that expected to have work email on their should be able to identify and stop it. system are so that employees may be personal phones? What happens if the part of the process as well. phone is lost, stolen, or if the employee Spam Filtering leaves on bad terms? What layers of Protecting Client and Firm Money Email spam filtering is a subscription protection are required on devices? It service. Like antivirus software, the Law firms must be extra careful when is essential to provide clarity around service is constantly evolving. Traditional money and sensitive data is involved. mobile device usage, as well as a plan spam filters compare incoming email Technology has made it very easy to for the inevitable loss of a device or messages to a known list of dangerous move money. This has obvious benefits, departure of an employee. or “spammy” addresses or attachments but also poses significant risk. There are too many stories of hackers monitoring Mobile devices are also a lot smaller and will reject the messages before they and used in many places. This makes the get to your computer. Newer spam and imitating partners, clients, or opposing counsel; requesting the transfer of user more likely to make mistakes. If a filtering services offer much more. In phishing email comes through while a addition to basic filtering, these services funds; and then disappearing into thin air. Lawsuits filed by victim-clients are lawyer is glancing at emails on the phone are able to test programs and links on during a lunch meeting, the likelihood of external servers before allowing mes- on the rise, stemming from the improper electronic transfer and loss of trust fund clicking, forwarding, or taking inad- sages through. If the filter discovers vertent action increases. Encourage anything abnormal or dangerous, the money. Firms should develop a policy requiring verbal confirmation any time employees to be extra cautious while message is blocked. These services on mobile devices. also offer the ability to send encrypted they move money, and they should also messages, which adds another layer of require employees and clients to ex- Mobile devices connect to all sorts security that is quickly becoming the change sensitive account information of wireless networks—coffee shops, standard within law firms. telephonically or in-person to avoid airports, hotels, or even opposing coun - interception of such private information. sel’s office. Many are safe and pose Addressing Generational Differences Mobile Security little threat; however, there are risks. There may be multiple generations Many free networks collect in forma- within a firm’s workplace. It is no Increasingly, people are working off tion for marketing purposes; others secret or surprise that different their mobile devices. Mobile phones, may be set up with the intention of

Colorado Trial Lawyers Association Trial Talk April/May 2019 35 LAW OFFICE MANAGEMENT | Glass & Pirkopf monitoring data for more sinister uses. encrypted internet connection between and medical sectors. Ben and his busi- The fact is that a wireless network can any given device (think laptop or ness partner, Eric Osborne, founded be set up to look like a legitimate one, tablet) and the law firm’s data. The Bespoke Technology Group, a Denver and if employees are not careful, they connection requires a user’s unique based IT firm, to deliver high-touch, can put the entire firm at risk. The best credentials and often dual-factor white-glove IT solutions to small and practice is for firms to provide and/or authentication in order to make the growing businesses. require the use of mobile hotspots and connection. John Pirkopf has been working in IT since encourage employees to connect only Cyber Insurance 2000. He joined Bespoke Technology to known networks. If a lawyer finds a wireless network and does not know Many lawyers may not even be aware Group as a consultant in 2017. John has a where it comes from, she or he is of such coverage, but cyber insurance background in social welfare, working probably better off not connecting. can also play a key role in a firm’s IT with for-profit and not-for-profit organiza- planning. Not only will it reimburse a tions. John’s areas of focus are IT consult- Remote Access portion of costs associated with a cata- ing, networking, web design, data As the speed of data retrieval and strophic event, but it can also help an backup, and security. manipulation has increased, so too has organization get its IT house in order. the ability to access that data remotely. Most insurers require documentation Endnotes: In order to do this, it is advisable to and proven compliance related to the 1 https://www.csis.org/analysis/economic- have a properly configured virtual pri- IT environment, including an IT Use impact-cybercrime vate network (VPN). A VPN is an Policy and a Response Plan. Insurers 2 https://www.bromium.com/press-release/ want to know what is being done to hyper-connected-web-of-profit-emerges- keep the bad guys out and what will be as-global-cybercriminal-revenues-hit-1-5 done if they get in. IT specialists should -trillion-annually be a firm’s partner in the process of 3 https://content.akamai.com/us-en- developing these policies and plans. PG10413-q4-17-soti-security-report.html 4 Conclusion https://www.idtheftcenter.org/wp-content/ uploads/2019/02/ITRC_2018-End-of- Cyber security threats are increasing Year-Aftermath_FINAL_V2_combined and evolving. While the statistics are WEB.pdf Do you know where to turn for scary, they should encourage law firms 5 https://newsroom.accenture.com/ confidential peer support? to start thinking about how they are news/cybercrime-costs-financial-services- positioning themselves to adapt to and sector-more-than-any-other-industry-wit Colorado Lawyers Helping Lawyers, Inc. is a h-breach-rate-tripling-over-past-five- court-approved, volunteer Board of Directors mitigate these threats. Most importantly, consisting of lawyers and law students who firms need to acknowledge that users years-according-to-report-from-accentur offer confidential support for colleagues expe- may be the weakest link and that edu- e-and-ponemon-institute.htm riencing problems with substance abuse (alco- cating lawyers and staff is integral in 6 https://blog.alertlogic.com/5-cybersecurity hol/Drugs) and preventing the worst from occurring. -statistics-every-small-business-should- mental health issues. CLHL provides free con- know-in-2018 fidential support group meetings for judges, Firms can do this by developing a 7 lawyers and law students. security-centric culture in which people https://www.americanbar.org/groups/ are cautious and smart when it comes litigation/committees/commercial- • In Recovery to technology, but also feel empowered business/articles/2018/spring2018-cybers • Experiencing Mental Health Issues ecurity-and-the-lawyers-standard-of-care to speak up when they suspect somet- • Women’s Group 8 hing is not right. Simple steps can have https://www.law360.com/articles/ • Virtual Telephone Support Group a huge impact on the security of a 706312/a-soft-target-for-hacks-law- firms-must-step-up-data-security firm’s environment. sss 9 For more information, https://lab.getapp.com/category/research/ call (303) 832-2233 Ben Glass has more than 20 years of 10 https://media.scmagazine.com/ or (800) 432-0977 experience orchestrating technological documents/82/ibm_cyber_security_intell www.clhl.org solutions for companies in nearly every igenc_20450.pdf. industry, including the legal, financial,

36 April/May 2019 Trial Talk Colorado Trial Lawyers Association