Sign up for our free newsletter.
“Cybersecurity: This Way There Be Dragons!” was the title of the 2018 College of Law Practice Management Futures Conference, held in Boston last week. This reference to the medieval practice of drawing mythical beasts on uncharted areas of a map couldn’t be more appropriate. Over and over, speakers described cybersecurity as a moving target owing to the constantly evolving nature of cyberthreats. The first panel aptly quoted computer security expert Bruce Schneier:
“You can’t defend. You can’t prevent. The only thing you can do is detect and respond.”
“Detect and respond” was a major theme throughout the two-day conference. Gone are the days of the individual hacker. Hacking networks now span far and wide. These hacking rings are often sophisticated and well funded.
And hacking attempts are increasing. Nearly 1 in every 100 emails is reportedly a hacking attempt, and 90 percent of those attempts involve social engineering (impersonation with the goal to steal data or install malware in the future). So, it should come as no surprise that when asked, nearly every audience member indicated they had knowledge of a law firm or organizational cyberbreach. In fact, we have data to support this: In results from the 2017 ABA Legal Tech Report, 22 percent of responding law firms had suffered a breach. More than ever, it is imperative that attorneys and law firms remain vigilant.
Here are my conference takeaways aimed at helping to detect, respond and mitigate cyberthreats.
All the data suggest that law firms are, in fact, targeted due to the potentially vast amounts of sensitive data in their care. Major law firms such as DLA Piper, Cravath, and Weil Gotshal have suffered breaches that put their practices in the spotlight.
Of note, speakers mentioned a trendy law firm scam involving gift cards. The hacker either spoofs or gains access to a law firm partner’s email address. The “partner” then emails a staff member with directions to buy hundreds of dollars’ worth of gift cards. The “partner” then instructs the staff member to transmit the serial number on the gift cards via email. The hacker can then sell these serial numbers for virtual currency or cash. Because this is a cash transaction, it is not recorded and is difficult to track, report and stop.
What can your law firm do?
Over and over, speakers pointed out the “human problem.” In any organization, including law firms, the greatest security threat is the people. Firms must work to “build a culture of security” to decrease cybersecurity risks in these ways:
Guest speaker FBI Special Agent Timothy Russell echoed other speakers in saying the best you can hope for in the current landscape is to “detect and mitigate.” Russell encouraged attendees to work with the FBI to help law firms into a better defensive posture and suggested that it would not necessarily result in an investigation. To provide awareness, Russell encouraged using the government’s website, IC3, to report scams. Later in the day, John Simek, Vice President of Sensei Enterprises, suggested joining the FBI’s public-private partnership program, InfraGard, to receive information regarding known cyberthreats.
If you need advice on how to conduct employee awareness training, the American Bar Association has an on-point CLE, here. This topic was also addressed by Sharon Nelson, President of Sensei Enterprises, and Jody Westby, CEO of Global Cyber Risk, at ABA TECHSHOW 2018.
Finally, to end on a more worrisome note, speakers mentioned this site, Shodan.io, known as “Google for hackers.” It provides information about internet-connected devices, including IP addresses, location details and more. When I briefly investigated the site, I discovered a top voted search on “default passwords” resulting in IP addresses and router configurations, as well as default passwords, location and more.
As emphasized throughout the conference, law firms must think about how to detect threats and respond to them. This will necessitate investment in cyberattack prevention, detection, mitigation and response. At a minimum, firms should have policies and processes in place addressing cybersecurity, training and awareness programs for employees, and disaster response and recovery plans. The time is now — don’t wait until it’s too late!
Sign up for our free newsletter.
Get on the path to reducing invoicing inefficiencies and receiving payments faster.November 16, 2018 0 0 0