Law firms “may not be the primary target” of cybersecurity attacks, according to a compelling presentation published online by Accellis Technology, a certified LexisNexis consultant, titled: Law Firm Cybersecurity: Practical Tips for Protecting Your Data.
The presentation is this week’s Friday Share and is embedded nearby.
Firms are at risk for maintaining “tremendous amount of highly confidential information and information.” The group calls this information “currency” in the trade of stolen information.
Security, Investment and End Users
The Accellis team says hardening law firm security requires more than just money. It points to a prominent investment bank that invested more than a quarter million dollars each year, and still experienced a breach where millions of user and business accounts were exposed.
Why? “End users are the single weakest point in any network,” according to the presentation, which points to phishing schemes and social engineering:
- Phishing schemes usually come in the form of malicious emails encouraging readers to click a link that installs malware behind the firewall. These scams have become increasingly sophisticated in an effort to create the appearance they are from trusted sources. One legal malpractice insurance carrier explained a common scheme to which small law firms are especially vulnerable here: A Tricky Email Scam and Avoiding Law Firm Malpractice.
- Social engineering is “Social engineering is a non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures,” according to Search Security by TechTarget. In other words, it’s a convincing phone call to law firm staff in an effort to elicit revealing information to aid a breach.
The Accellis presentation also describes a “Dyre Wolf” attack, with is a complex synchronization of multiple techniques like those described above.
3 Common End User Mistakes
The experts at Accellis also describe three common mistakes end users make, which is useful for law firms to understand in assessing vulnerabilities. Those mistakes are as follows:
1. “D’oh!”: ever sent an email to a client and about .0009 seconds after hitting the send button, you realize you’ve sent information to the wrong recipient? DBIR reports this as being the single largest exposure point for data
2. “My Bad!”: According to the same DBIR reports, about 17% of the breach / disclosures are the result of users publishing nonpublic data to public servers. Sensitive client data does not belong on the Google!
3. “Oops!”: The last bucket of end user snafu’s is the insecure disposal of personal and medical data.
The complete presentation includes five recommendations for law firms “to get in front of the problem” and beginning with putting someone in charge of cybersecurity.
If you enjoyed this post you might also like:
5 Things Corporate Legal Execs are Seeking in Data Security
Photo credit: Accellis Technology: Law Firm Cybersecurity