The Wall Street Journal recently reported that the FBI and Manhattan U.S. General are investigating cyber attacks where hackers were able to access records at U.S. law firms. It is believed that the attacks were accessed via user login and password credentials that were gained via social engineering, when the hackers targeted the firm’s staff via email and/or telephone and tricked them into sharing their credentials.
While law firms being targeted makes sense when you consider the types of proprietary information they maintain, the frequency of the attacks is on the increase. We have also seen a rise in firms being hit with ransomware that encrypts their data and extorts payment in order to provide the key to allow the data to be accessed again.
Firms can and should be proactive to protect themselves and their clients. Here are some key simple steps to follow:
1) Identify what you have to protect, including any financial account info, trade secrets or other proprietary information that could be used for insider trading, social security numbers, financials, and health records. Note that there are specific compliance requirements relating to some of this information, but all should be protected.
2) Confirm where all of this data is located. Ideally you want it to be as contained as possible to make it easier to protect. Don’t save copies on everyone’s local machines and a shared file on your server or cloud, or you will end up with a much bigger attack vector! Do make sure you have backups and that test restores are run periodically in case of a ransomware attack where you need to be able to restore your data.
3) When in doubt, encrypt. Encryption has come a long way, and it does not slow down productivity like it once did. This way, even if the data is exposed, it may be useless to the attacker. Monitoring the network can often detect and stop an attack, or at least let you know about suspicious activity before the FBI comes calling when they find your client data for sale on the hacker’s sites.
4) Keep sensitive data accessible only on a “need to know” basis. If each staff member only has access to the files they need to work on, and one person is compromised, you will only have exposed that subset of files, not all of the sensitive data on the whole network for both current year and possibly many years back. This will make a huge difference in remediation costs if you end up needing to pay for client notifications and credit monitoring. Provide basic cyber security awareness training for your staff so they don’t fall prey to social engineering or accidental exposure of data.
5) Follow NIST guidelines for cyber security. Talk to your IT support team to confirm that they are doing so – including patching known vulnerabilities every 30 days. Better yet, bring in a firm that specializes in NIST assessments to confirm it. Some cyber insurers will actually cover up to 50% of the cost for proactive testing!
