No one can deny that cyberattacks are the new norm. Such risks will increasingly challenge our ability to operate our businesses. In the world of cybercrime, everyone — from individuals to nation-states — is a target. However, some targets are more alluring than others.
Legal, accounting and other professional firms are increasingly targeted by cybercriminals and hackers who are intent on accessing the vast stores of data with which they are entrusted. Indeed, hackers focus a greater percentage of their attacks on the financial services and health care industries than other areas because of the large amounts of data they hold. But attacks are not limited to such firms. According to an Osterman Research Survey Report from August 2016, nearly 80% of businesses were attacked in some way in the past year; 39% with ransomware.
As an industry, legal professionals are the trusted advisers to large and small companies and often have access to closely held secrets, intellectual property, personally identifiable information (PII) and other data relating to the private lives of others. This savory (and sometimes unsavory) information is attractive to cybercriminals. Information is a valuable asset and may be sold for astonishing financial sums (and, sometimes, astonishingly small sums — the average ransom is below $1,000 according to the same Osterman study).
Theft of information is a very significant concern for law firms of any size. They are held to strict standards and have a duty to protect the confidentiality of clients and client information. If a business has employees, technology containing sensitive information and connections to the Internet, it needs to protect the business, its clients, its employees and — one of its most valuable assets — its electronically stored information.
A business can have the best network engineers and technology support and the best and most securely configured security devices, but an unaware, unsuspecting and unwitting employee can provide access to a cybercriminal that allows that interloper to subvert all established security controls. Training and awareness are essential.
Law firms must be diligent about their information security — not just via protection through technology, but by training staff on what to look for and how to react to cybersecurity threats. Most security breaches arise out of human error or negligence. Educating users is one of the best defenses.
Sophisticated Attacks vs. Educated Employees
The scenario of someone clicking on an infected link is all too common. Most attorneys, partners and owners may think, “I’m too smart to click on a link that looks fake,” or “I would never fall for that email trick.” That may be true, you might not click on the link, but ask yourself if the same be said for every single person in your firm.
Will every single employee have your common sense when faced with the decision of believing an email? Are they armed with the understanding that they are a target? Do they know what to do after receiving a phishing email? Are they prepared to handle a phone call from somebody asking for information? Cybercriminals are getting increasingly sophisticated in their attacks, designing fake emails so they appear to be from Facebook, LinkedIn, the U.S. Postal Service and other reputable organizations. Cybercriminals use phone calls to impersonate technical support, the Internal Revenue Service (IRS), Microsoft employees and other trusted outsiders. For instance, one must beware when “Internal Revenue Service” pops up on caller ID. Hackers now fool mobile phones so that they can more effectively impersonate IRS agents when attempting to gain PII.
Will Your Employees Make the Right Choice?
Because of all the pressures we have in both our personal and professional lives — looming deadlines and countless distractions — employees only give themselves a split second to decide whether to click on a link or an attachment in the email and can find it difficult to be on constant alert. But they are the key to a security-aware culture. They have to be empowered and educated to take a moment and look at emails through an “information security lens.”
Why Don’t Law Firms Provide Security Training More Often?
Many firms are talking about cybersecurity, but are they taking active steps toward training? Yes, training consumes what could otherwise be billable hours, but dealing with ransomware or a major information security breach is vastly more expensive, and the damage to the firm can last much longer. Furthermore, the possibility of having to notify clients and others of a breach can damage reputations and cost thousands, even millions, of dollars. Reports show that employee training and other security best practices decrease the cost of these data breaches and their resultant lost productivity, embarrassment and money.
Sending the Message from Senior Management
An effective cybersecurity training and awareness program begins with management involvement. If employees don’t see the top attorneys, partners and the managing partner in the room, they won’t take managing information seriously. If the training doesn’t come from senior management with all employees from all levels involved, employees most likely won’t change behaviors. Furthermore, enlisting the help of information security experts, engaging the technical folks as part of the training and gathering all employees at all levels go far to ensure a security-aware culture.
Social Engineering and Phishing
One of the easiest and quickest protections a business can put in place is to provide companywide awareness education to all employees.
Humans are the weakest link. It only takes one single employee one click of the mouse to download malware.
Sending emails designed and created to trick unaware employees, or phishing emails, is the number one way cybercriminals gain access to information. And most of these breaches and attacks are preventable with an ongoing robust training and awareness program.
Court filings are public record, making it easy for hackers to find the name of the attorney of record and, using his or her name, send a phishing email with a malicious attachment that purports to be an updated complaint. An attacker can use social media websites such as Facebook and LinkedIn to gather information about a specific person and then use that information in an email and send it to the law firm’s accounting department.
Developing a Cybersecurity Training Program
A good security program should convey management’s understanding that information has value to cybercriminals — just like it does for the firm. Employees must understand that businesses are under attack, the consequences and that everyone’s commitment is imperative.
We’ve found that real-life stories, evidence and supporting facts are the most effective way to get employees to understand the threats and to “feel it in their gut” to identify cybersecurity threats. When employees put themselves in the stories during training and realize “this can actually happen to me and our firm,” it has a most profound impact.
The IT department can provide information to employees about the number of “hits” they see regularly on a firewall, for example. Seeing a real phishing email targeted at a specific employee or colleague makes an impact. All of this evidence shows employees that the firm is actively under attack.
An effective training program is ongoing. It’s not enough to train employees once and then never talk about it again. It has to be a constant message that securing information is everybody’s responsibility at all times. Employees need to understand how serious cybercrime is to business. They need to understand why they should care and how their behavior and interactions with technology and data can lead to downtime, lawsuits and even the closure of a business.
Reports show that of the 30% of cyberattacks on small businesses, 60% of those businesses close their doors within six months of the attack.
The Verizon 2016 Data Breach Investigations Report shows a trending decrease in attacks on servers and a dramatic increase of attacks on user devices and people. As we’ve recently seen with the DDoS attacks on Dyn, the role of connected devices — webcams, automatic thermostats and other “Internet of Things” devices — in large-scale attacks is increasing.
Furthermore, employees have to be quizzed to ensure the effectiveness of the training. For example, how do they respond to phone calls from the IT staff asking employees for their passwords and phone calls to employees from trusted people asking for access to systems, specific information or passwords? Fake phishing emails can be sent, designed to intentionally trick employees to see “who clicks on the link.”
Incentives can be put in place for those employees who identify and bring to management’s attention a phishing email sent to an employee. Law firms should take the time to provide “learning moments” when incidents occur.
Posters conveying the importance of protecting information should be placed in appropriate locations throughout the firm. Think of the old “Loose lips sink ships” posters.
Consequences should be reviewed if an employee fails to follow specific information security policies and standards. Logon banners should be used to provide training, so when employees first log in to the network, they have to read and “agree by clicking” that the system they are accessing is “for authorized users only.”
A good security program should explain what social engineering is and how employees are targets. It should provide examples and procedures to follow in the event of an incident or receipt of an email. Employees should understand terminology, such as malware, ransomware, phishing, smishing, vishing and spear phishing. Employees should be warned to be prepared and on the lookout for risks and attacks.
Employees should be taught how to create long, strong and complex passwords and how to use tools available to manage them all.
Furthermore, employees must be trained to ensure that all of their devices – including their personal devices, given the growth of BYOD in the work environment – are up-to-date on patches and the most current cybersecurity protections.
A good training program should equate poor security habits with business risk. Weak password habits, poor email habits, poor workplace security habits, poor judgment habits, workarounds and careless behavior all constitute business risk – and all of these habits are counted on by cybercriminals in order to exploit employees and gain access to information.
Information technology employees or outside IT providers can be instrumental in providing best practices across all devices.
An effective awareness program also includes why employees need to incorporate a security mindset. If law firms take the time to explain that employees’ behaviors are putting the law firm — and jobs — at risk, most will work toward doing the right thing and protecting information.
The most important takeaway for employees is that it is everybody’s responsibility to protect information, not just that of the IT department. All employees should adopt good security habits and behaviors.
Management must commit to ongoing information security awareness training. Information technology staff must continually provide tips, tricks, settings and configurations to users interacting with devices. Law firms should engage information security experts who regularly take the pulse on cybercrime and the latest trends. Finally, employees must be empowered to ask questions and verify information, phone calls and emails and to “not click on the link.”
Michael Kemps is the founder and president of Innovative Computing Systems, Inc., which has focused exclusively on the technology needs of law firms since 1989. Kimberly Pease, CISSP, is co-founder and vice president of Citadel Information Group, Inc. a Los Angeles based information security management consulting firm. Both Kemps and Pease work with employees at all levels within an organization to ensure the management and security of all aspects of technology and electronically stored information. They can be reached at firstname.lastname@example.org and email@example.com, respectively.
The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.