Posted Sep 01, 2013 08:10 am CDT
Already making chump-meat of the most sophisticated of computer defenses, hackers are unleashing a new wave of malware on unsuspecting law firms. And among the newest targets are mobile phones and similar portable devices.
“The bad guys have caught on to the fact that people are using mobile devices more often than ever before to conduct financial transactions and to store sensitive business information,” says Steven Chabinsky, senior vice president of legal affairs at CrowdStrike, a cybersecurity firm. “CrowdStrike demonstrated a smartphone hack in 2012 showing that merely clicking on a link in a text message could result in a complete compromise.”
Add in the fact that far too many such devices are unauthorized “bring your own device” units with absolutely no law firm security software. “BYOD is a blessing and a curse,” says John K. Holland, CEO of information management firm D4. “It has allowed corporations to reduce spending on mobile devices, and users have the freedom to use the device of their choice. [But] from a security standpoint, it is a nightmare.”
Moreover, Android-based software—once thought by hackers to be too minor to bother with—is now a prime target due to its growing popularity. In 2012 nearly 33 million Android devices were infected with malware, according to the NQ Mobile 2012 Mobile Security Report.
Even worse, the invaders seem to be coming from all sides. “Cybercriminals tend to focus where the weak spots are,” says Gerhard Eschelbeck, chief technology officer at Sophos, a computer security firm. And, Holland adds, “law firms are soft targets. … The attackers aren’t pimply-faced teenagers. They are nation-states.”
(With the recent disclosure of widespread National Security Agency surveillance, some fear one of the nation-states may be our own.)
While coming up with bulletproof security against hackers is less likely than witty repartee with Paris Hilton, there are some basic precautions law firms can take, according to security consultants:
• Secure all mobile devices by getting your IT department to fully encrypt the units.
• Ensure that your cloud provider contract enables your firm to en-crypt all the data it generates before it sends that data to the cloud.
• “Don’t let the BYOD and BYON (bring your own network) folks overrule security concerns,” says Sharon D. Nelson, president of the cybersecurity firm Sensei Enterprises. “We strongly believe that lawyers should connect to law firm networks only with devices owned and issued by the law firms. … We fear that we will have to suffer more very public data breaches before law firms collectively agree to batten down the hatches and put security first.”
• Take a hard look at USB connections. “Some organizations go so far as blocking physical access to USB ports [to discourage use of thumb drives] and employing full disk encryption on laptops,” Holland says.
• Stay up to date. “There is a reason vendors release updates and patches,” Nelson says. “Most successful attacks exploit vulnerabilities that have never been patched.”
• Get an annual checkup: “Every law firm should have a vulnerability assessment at least annually,” says Nelson.
• “Firms should hire first-rate information security professionals,” Chabinsky advises, “and should consider establishing a chief information security officer position.”
“Law firms need to understand that they’re being targeted by the best, most advanced attackers out there,” says Shane M. McGee, general counsel and vice president of legal affairs at Mandiant Corp., a cybersecurity firm. “These attackers will use every resource at their disposal to compromise law firms because they can, if successful, steal the intellectual property and corporate secrets of not just a single company but of the hundreds or thousands of companies that the targeted law firm represents. Law firms are, in that sense, ‘one-stop shops’ for attackers.”