Lax data security can cost you clients
Illustration by Thomas Fuchs
While multinational corporations have long been prime targets for hackers, cybercriminals are increasingly targeting law firms—of all sizes. Often, said a LegalTech New York 2013 panel, a firm’s computer system is easy prey for hackers looking to infiltrate the financial dealings of that firm’s much larger—often global—clients.
“End-user computers are the weakest spot,” said Shane Sims, a director of investigations and forensic services at Pricewaterhouse-Coopers. “Typically these computers are protected only by antivirus software, and the most sophisticated hackers attack at that point.”
Corporations alarmed by these newfound vulnerabilities are engaging in thorough security audits of the attorneys they hire and “pulling work from the law firms” they believe are major security risks, said Mark Brophy, director of information technology at Rogers Townsend & Thomas in Columbia, S.C.
Attorneys looking to pass these audits will need to show a hard digital perimeter, including defenses against some new threats on tap for 2013. High on that list is cloud-server-snapshot software, which can infect the cloud server where a law firm stores its data and take a complete snapshot of everything present—including passwords, said Gerhard Eschelbeck, chief technology officer at Sophos, a global IT security firm.
More hackers are also using text-messaging theft software, which is surreptitiously added to the phone of an unsuspecting user, then activated to forward all messages to a hacker, Eschelbeck said.
Sophos has also detected increasing use of “ransomware” against small and medium-size businesses. Such malware can infect both phones and computers and render them inoperable. Hackers often demand large ransoms for its removal, though they rarely follow up on removal if a business pays the ransom, according to Sophos.
Even average computer users are able to get into hacking with superkit software. This do-it-yourself package offers more than a dozen ways to infiltrate even sophisticated cyber-defenses, Eschelbeck said. And criminals buying this software on the black market simply need to know how to point and click.
Granted, law firms and their clients should be using firewalls and other network protection, but their best return on investment is employee education, Brophy said. A vigilant employee is the best investment a law firm or client can make in computer security, he said.
Carlos Rodriguez, the Kansas City, Mo.-based manager of network infrastructure and security at Lathrop & Gage, agreed. His goal is to transform “users into my first line of defense.”
Specific ideas the two offer for getting employees on board include:
• Make security training ongoing. Simply offering a one-hour computer security course is not sufficient.
• Use the inbox. Regular email tips, tricks and news about IT security in the workplace help keep security top-of-mind.
• Ensure buy-in. Packaging IT security as an organization initiative rather than a security initiative can help.
• Remind everyone about ethics issues. Supervisors and partners should know they’re on the hook ethically if they don’t demonstrate due diligence with IT security.
• And stay educated. Recommended books include America the Vulnerable and Fatal System Error for overviews of the cyberthreats law firms and their clients face.
