Cyber Crime: Why Your Ignorance is Their Power
Few law firms seem to fully appreciate the level of risk that attorneys and staff truly represent. Of course, the ultimate goal is to avoid having to deal with a cyber breach at all because, as stated above, actions that seek to prevent a breach are going to be easier and less stressful than any actions that must be taken to try and recover from the fallout of a breach. Unfortunately, it’s the ignorance and/or apathy of every user that can so easily prevent a firm from ever reaching this goal. Here’s why.
Regardless of all the precautions implemented by IT support, from taking steps like securing all digital assets with the latest and greatest in firewalls and antivirus software to upgrading to the latest in browser software or operating system, those efforts aren’t going to be good enough. People are part of the equation and they can’t be secured with a software patch or hardware upgrade. I’m talking about you, your partners, your employees, and anyone else who has access to a firm computer, tablet, smartphone, and the like. How do you think the Target breach, the DNC email scandal, and many of the other breaches we hear about with ever more frequency happened? In short, someone did something they shouldn’t have. It might have been opening an infected email, clicking on a malicious link, or unwittingly verifying a password for a cybercriminal because he or she didn’t know any better, got caught off guard, or simply didn’t care.
To help bring the point home, ask yourself these few questions and focus not only on how well you can answer them but also think about how everyone else at your firm might do:
Do you know what Zenis and Dridex are?
Zenis is ransomware that encrypts files on every drive it has access to and then it deletes your backups. Dridex is a banking Trojan that seeks to steal your online banking credentials.
If you did know what those two examples of computer malware were, do you know if you can still be infected by either if you have an Internet security software suite running?
Yes, until a patch is released for each new variant that is discovered in the wild. Also, be aware that malware is rapidly moving into the mobile space where many are woefully unsecure.
Do you know what vishing is?
Voice phishing is a form of criminal phone fraud whereby the scammer uses social engineering techniques during a call as a way to try to gain access to personal or sensitive information for the purpose of financial gain.
What is spear phishing?
An email-spoofing attack that targets a specific individual or business in an attempt to steal confidential data from and/or install malware on the targeted user’s computer.
Can identity theft occur via a text message?
What is crypto-jacking?
The unauthorized use of a computer or network to mine for digital currency. These attacks can cripple your network and may result in deleted files if you attempt to remove the malware.
Hopefully you’re starting to get it. The actions of any individual user can unintentionally circumvent the security tools IT support has deployed; and again, it’s often the result of the ignorance or apathy of individual users. What any person does on the Internet and even how and where they do it matters. For example, unsecured Wi-Fi is exactly that, unsecured. Just because a signal is available doesn’t mean using it is a good idea. Cybercriminals have the same ability to access that signal as you do and you have no way of knowing what their intentions are. Even if you know how to avoid most cyberattacks, how about everyone else in who works at your firm? That’s the problem.
So, what’s the solution? How does one address the very real threat that comes from each and every user? I wish it were easy. Unfortunately, it isn’t; but it is manageable. This is one of those situations where IT and firm leaders need to work together. Part of the solution will lie in periodic training in safe practices to include how to identify threats. This will need to be ongoing because attack vectors will continue to evolve and change. Topics such as what do the latest social engineering attacks look like and how to avoid them, why peer-to-peer file sharing networks can be dangerous, and how to securely login into the network from a remote location would all be worth discussing.
Another part of the solution will be to create and then enforce an office-wide Internet use policy that spells out the dos and don’ts. For example, define what can be downloaded and what can’t. While the download of an Amazon.com eBook might be ok if done over the noon hour, the downloading of free music off a peer-to-peer file sharing network like eMule definitely shouldn’t be. What about allowing access to Facebook, LinkedIn, Snapchat, WhatsApp, or Pinterest from an office device? There are legitimate security concerns that come with allowing personal participation in social media. Do you want to allow access to things like Skype, YouTube, or even personal email accounts? In the absence of defined rules, there will be some who will expose the network if for no other reason than through naivety. Also, don’t focus just on the Internet spaces listed here. They are simply examples. All can bring value but all also bring a certain amount of risk.
Unfortunately, there is a catch 22 here for many lawyers. Firms may be tempted to simply block access to something like Facebook; but this isn’t always the right answer because there will be times when access to Facebook will be absolutely called for as part of competently handling a client’s matter. The good news is that a great resource is available online to assist in the identification of the issues as well as in the development of a firm policy or policies. The SANS Security Policy Project posts a number of policy templates that address a variety of important security concerns, many of which you may not have even thought about. These resource materials are available to the public without cost. Topics addressed include an Acceptable Use Policy, a Wireless Communication Policy, an E-mail Policy, a Password Protection Policy, and a Remote Access Policy among many others. The SANS (SysAdmin, Audit, Network, Security) Institute is a cooperative research and education organization established in 1989. Over the years, the institute’s programs have reached over 165,000 security professionals worldwide. Learn more about the SANS Security Policy Project and access the sample policy language here.
The final piece will be in committing to seeing that hardware and software remain as current as economically feasible. The reason is as newer and more secure versions of software come to market, software companies eventually stop sending out security patches and updates to the older versions. Continuing to rely on older software that is no longer supported, for example Windows XP or even Windows 7 (after Jan 14, 2020), in order to save a little money is thus a serious risk because malware often specifically targets older versions of software. Cybercriminals know remaining vulnerabilities in older programs will never be patched and that works to their advantage. Don’t make it easy for them. Understand that when it comes to computer security, newer and better solutions for hardware and software will continue to enter the marketplace. When you think about what is at stake, isn’t the investment cost of updating to the most current version of a software program available well worth it?
Authored by: Mark Bassingthwaighte, Risk Manager
Since 1998, Mark Bassingthwaighte, Esq. has been a Risk Manager with ALPS, an attorney’s professional liability insurance carrier. In his tenure with the company, Mr. Bassingthwaighte has conducted over 1200 law firm risk management assessment visits, presented over 600 continuing legal education seminars throughout the United States, and written extensively on risk management, ethics, and technology. Mr. Bassingthwaighte is a member of the State Bar of Montana as well as the American Bar Association where he currently sits on the ABA Center for Professional Responsibility’s Conference Planning Committee. He received his J.D. from Drake University Law School.