Glass & Pirkopf | LAW OFFICE MANAGEMENT Cybercrime: Protecting Your Law Firm from the Inevitable By Ben Glass and John Pirkopf ata breach cases have made headlines in recent years, their breach protocol in the event the worst happens. But what Dfrom Yahoo to Marriot to Target to Equifax. While the really should that entail? This article addresses the most com- larger companies tend to attract more public attention, cyber- mon vulnerabilities in a law firm and best practices with crime does not discriminate, and more and more law firms respect to protecting both firm and client information. are impacted by the threat of or actual attacks. According to The Center for Strategic and International Studies (CSIS), the Law Firms and Cyber Security total global cost of cybercrime is closing in on $600 billion, There is more to securing a firm’s network and sensitive and this number is up from the 2014 estimate of $445 billion.1 data than a good password. Security needs to be built into Other estimates make that look conservative. According to Dr. the culture of your workplace. Increasingly, cyber criminals Michael McGuire, Senior Lecturer in Criminology at Surrey are employing clever and sophisticated methods to steal, University in England, the revenues of cybercrime have hit sabotage, or ransom firm data. Law firms are now being $1.5 Trillion annually.2 While this number is staggering in recognized by attackers as a sweet spot for attacks. This is and of itself, it is hard to comprehend exactly what that means due, in part, to the amount of highly sensitive data to which to a law firm. Breaking cybercrime down into distinct and firms have access. This combined with limited compliance specific categories sheds light on the gravity of these threats, regulations, variation in size and budget, and limited not only on industry specific levels, but personal, national employee training and knowledge, leads to an appealing and global levels. Globally, the study finds the following: target for cyber criminals. • $860 billion – Illicit/illegal online markets According to a recent ABA survey, 15% of law firms and • $500 billion – Theft of trade secrets/intellectual property about a quarter of firms with at least 100 attorneys have • $160 billion – Data trading fallen victim to a breach. This is not an anomaly. Other 8 • $1.6 billion – Crimeware-as-a-Service surveys support this. These numbers are growing. • $1 billion – Ransomware Unfortunately, only 61% of small businesses actually have a data security specialist, outsourced department, or internal Nationally, the US is easily the most attacked country in department, and only 34% review data security pol icies an- the world. In the fourth quarter of 2017 alone, the US suf- nually.9 In the same research, it was found that only 28% of 3 fered 238.6 million attacks. Actual data breached, stolen, small businesses actually have a data security policy, and of and exposed is estimated at 446.5 million records since those, only 14% actually have different levels of data access 4 2005. These numbers just continue to grow. While the privileges. The fact is that most workplace environments financial services industry may have been hit the hardest, do not discuss data security enough, though they should be 5 with an average cost of $18.28 Million per firm in 2017 , making it an integral part of their workplace culture. state ethics opinions, legal malpractice actions, and statistics make it clear that law firms are becoming a more While attacks are becoming more advanced and sophis- frequent point of attack. Fifty-eight percent of cyberattacks ticated, so too is the technology used to combat them. It is hit small businesses (defined as a business with less than a constant game of cat and mouse. The recommended pos- 250 employees), with the professional services industry ture information technology professionals take regarding being the third most attacked.6 And nearly a quarter of all attacks is not will we get attacked, but rather when. Threats law firms experienced a data breach in 2017.7 and threat protection are constantly evolving, but the big- gest threat is one that is most often overlooked—the user. These statistics are alarming and hopefully cause law In order to address issues stemming from the user, it is firms to revisit their current security measures, as well as important that lawyers and law firm staff understand the Colorado Trial Lawyers Association Trial Talk April/May 2019 31 LAW OFFICE MANAGEMENT | Glass & Pirkopf applicable termi nology, as well as prying eyes cannot see the data in fact they never had it to begin where problems most frequently occur without the key to the lock. The with. Phishing scams are very and the best ways to avoid the worst- key to the lock is held by the firm complex and often have fake web- case scenario. and generally locks and unlocks sites and phone numbers that appear data in the background without to be from legitimate vendors. Cybersecurity Vocabulary user interaction or with minimal • Ransomware: a devastating and Though lawyers are becoming more user interaction (username and relatively new subset of malware. sophisticated with respect to techno- password). Encryption can also be Ransomware is designed to make logical terminology, it is important—and used for malicious purposes. A your data unavailable until you pay in some states a requirement—that law - hacker, or IT savvy threatening the hackers. Ransomware enters yers be well-versed in security terms in third party, can encrypt your data your system through clicking on order to know what they have and what if it is not properly protected. This links in phishing scams, or visiting they should be doing in terms of pro- is especially worrisome because fraudulent or unsafe websites, or tecting their clients and their law encryption is very powerful. It is inserting infected media (USB firms. Some of the most industry a lock in which the key is very drive), and then encrypts all your specific parlance is provided here to difficult to copy or duplicate. files and folders. It can propagate better understand the issues and methods • Malware: generally, means bad to data in your workplace through of addressing them. software. Malware is designed to its network. Restoring your data • IT: refers to Information disrupt your computer operations from backups is often the only way Technology (your IT department, and your productivity, often in an to retrieve your data. Your last or outsourced IT). attempt to gain access to or exploit known good backup is often what • “The Cloud” or “Cloud-based”: your data. you are left with, so it is crucial refers to the location of data and • Virus: in an IT context, refers to that your backups work well and applications that are not housed bad software that is written to cor- work often. If there is no good internally. For instance, Dropbox rupt, or delete your data, but that backup, the only solution is to is a cloud application that houses also is written to self-propagate negotiate and pay the hackers for your files and folders in the cloud. throughout your network (designed the key to the encryption lock. This generally means that the data to go from computer to computer). Paying the hackers is negotiating with criminals and should be avoid- is stored in physical data centers • Spyware: refers to specific mal- ed at all costs as it rewards the (digital data storage facilities) ware that is designed to capture people, thus, perpetuating the crime. throughout the world that are net- your information (usernames, worked with redundancy in case passwords, browsing data, key - • Business Continuity and Disaster one of the data centers experiences strokes, even habits). Recovery: relatively new terms in a problem, attack, or failure. Office an IT sense. They refer to establish - • Phishing: a term that is derived 365 is a cloud application and email ing protocols and procedures in the from fishing. A phishing scam is a provider. The email application, case that your data is lost due to a situation where a hacker is posing storage, controls, and protocols for physical disaster, ransomware/virus as a colleague, or known safe en- email are stored in Microsoft’s data attack, or hardware failure. In this tity, in an attempt to retrieve your centers around the world. Lawyers scenario, it is important that there personal data (username, password, need to be aware of the terms of is a tested contingency plan in SSN, address, etc.). The hacker is service agreements with cloud- place. Often these terms get con- fishing for your data and acting as based programs to ensure the fused with having backups. A bait. Most of the time, this comes third-party’s security meets with backup is a copy of your data. A in the form of an email that looks the firm or state’s requirements. business continuity/disaster recovery like it is from a legitimate person plan contains your backups in an • Encryption: an IT term that gener- or entity but is not. The email could environment that is digitally ac- ally means “locked.” Encryption fraudulently appear to be from your cessible with the least amount of can be used for good or bad pur - bank, or your email provider, asking downtime or lost productivity poses. It is important that a firm you to confirm certain personal possible. Your IT department or out- encrypts or locks its data, so that information as a precaution, when sourced managed service provider 32 April/May 2019 Trial Talk Colorado Trial Lawyers Association Glass & Pirkopf | LAW OFFICE MANAGEMENT should have this in place and test techniques, and facilitating conversations you are and preventing a hacker from it regularly.