This post is contributed by Sherri Davidoff of LMG Security (bio below).
“We hacked your web site and got client data,” Brett said. It was the phone call no attorney wants to receive. The good news for this firm was that we were penetration testers, hackers for hire, and our job was to find vulnerabilities before the attackers did. In this case, our client was one of the biggest law firms in the world. Brett found that with an attack on the firm’s web portal, he could download client billing information, confidential case notes, usernames and passwords for every client in their database—and so could any attacker in the world.
Attorneys are increasingly targeted by cyber attackers. However, “few law firms will admit publicly to a breach,” reports Jennifer Smith of the Wall Street Journal1. “Thefts of confidential information strike at the core of the legal profession's obligation to safeguard clients' secrets, and can do considerable harm to a firm's reputation.”
In 2013, Bleeker Street Law did a forensic audit of their firm’s computers—and discovered that they had been hacked. “A set of aspiring criminals had broken our security and were making everything they stole available by subscription,” wrote David Collier-Brown2. “Several foreign firms and at least one government had subscribed to us. . . .”
Think you’re too small to be hacked? Think again. According to Verizon’s Data Breach Investigations Report3, 75% of hacks aren’t targeted at all. “Some organizations will be a target regardless of what they do, but most become a target because of what they do,” reports the VBIR. Breaches occur because an employee clicked on a link in a phishing email, downloaded an infected software utility, or took some other action that gave hackers an easy opportunity. From there, hackers can take over your firm’s computers, gather confidential information, and then resell it to buyers around the world.
Financial information is especially targeted. In 2013, an Ontario law firm lost a six-figure sum from a trust account when a bookkeeper clicked on a link in a phishing email. Hackers monitored her keystrokes and captured the firm’s online banking username and password as she logged on. “The virus copied bank account passwords as she typed them,” reported Law Times4. In fact, similar thefts happen all the time—but few make the news, as law firms are understandably reticent to disclose.
Attorneys have a duty to protect not only your own confidential information and accounts, but also those of clients—and a breach can be disastrous.
How can small firms and solo practitioners defend against cybercriminal gangs and sophisticated organized crime groups? The good news is that you can dramatically reduce your risk by staying organized and taking a few simple precautions.
LMG Security has put together a 14-Step Cyber Security Checklist for Attorneys, available at www.lmgsecurity.com. Each month, we’ll dive into one item on our checklist. Here’s the road ahead:
- Use Strong Policies and Procedures
- Know Where Your Data is Stored
- Deploy Effective Antivirus
- Protect Against Spam
- Update Your Software
- Encrypt, Encrypt, Encrypt
- Limit Your Staff Members’ Privileges
- Train Your Staff
- Vet Vendors and Third Parties
- Respond Quickly and Appropriately
- Keep Your Eye on the Clouds
- Get Insurance
- Test Your Security
A smart first step is to get a cyber risk and security breach liability insurance policy. You can’t secure your network overnight, but you CAN get coverage to protect you in the event of a privacy breach, regulatory violation, or similar cyber incident. Check out ALPS’ cyber risk and security breach liability insurance at: protectionplus.alpsnet.com/cyber.
What ever happened to our client with the hacked web site? Within an hour, the flaw was fixed, and our client had locked up their customers’ information. They also reviewed their logs and verified that no one had previously accessed it.
In cybersecurity, as in any industry, an ounce of prevention is worth a pound of cure. You can protect yourself, and your clients, by taking proactive steps to defend against cybersecurity breaches. Stay tuned in the coming months as we walk through the 14-Step Cyber Security Checklist!
1 “Lawyers Get Vigilant on Cybersecurity,” Jennifer Smith, The Wall Street Journal, www.wsj.com, June 26, 2012
2 “Thank Goodness for the NSA! – a Fable,” David Collier-Brown, www.slaw.ca/2014/01/02/thank-goodness-for-the-nsa-a-fable/, January 2, 2014
3 “2013 Data Breach Investigations Report,” www.verizonenterprise.com/DBIR/2013/
4 “Law firm’s trust account hacked, ‘large six figure’ taken,” Yamri Taddee, Law Times, www.lawtimesnews.com/201301072127/headline-news/law-firms-trust-account-hacked-large-six-figure-taken, January 7, 2013
Sherri Davidoff has over a decade of experience as an information security professional, specializing in penetration testing, forensics, social engineering testing and web application assessments. She has consulted for a wide variety of industries, including banking, insurance, health care, transportation, manufacturing, academia, and government institutions. Sherri is the co-author of "Network Forensics: Tracking Hackers Through Cyberspace" (Prentice Hall, 2012). She is a GIAC-certified forensic examiner (GCFA) and penetration tester (GPEN), and holds her degree in Computer Science and Electrical Engineering from MIT. LMG Security has partnered with ALPS insurance for internal training as well as CLE seminars through ALPS Educational Services.