It’s no secret that Hackers Are Targeting Law Firms. They’ve realized what juicy targets businesses in the legal industry represent. Their primary weapon of choice has historically been Ransom-ware but that is changing.
The threat from Ransom-ware used to be lost access to your data and being forced to pay a hefty ransom in hopes that you would have your data recovered. Sometimes it worked and sometimes it didn’t.
Businesses got wise to the risk and started to install better and better backup and disaster recovery systems in the hopes they could forgo any ransom or loss of access to their data in the event of a Ransom-ware event.
Then the hackers took it up a notch. They started installing command-and-control software (versus Ransom-ware) and using this opportunity to poke around and find out what backup system you were using and disabling it before infecting the network with Ransom-ware. The hackers demand a ransom, you ignore their demands – after all, you have a solid backup right? Then… UG, you realize the backups aren’t working, what the heck? You go back to the hackers, hat in hand and pay the ransom crossing your fingers it all works out.
So businesses got even better at managing, monitoring, and testing their backups. They started leveraging cloud backups with multiple restore points that gave them multiple options for restoration and a better chance to recover in the event of an attack.
And again.. the hackers took it up a notch. They figured if you are going to take away their options to monkey with your data to demand a ransom, they will just take the data and threaten to share it publicly – OUCH, sounds like checkmate for the hackers.
So what do businesses do now – you have your backup and disaster recovery systems down pat but can’t risk sensitive client data getting out into the open, especially if you are a law firm.
Here are some thoughts to mitigate damage from data breaches;
Focus On How Hackers Get In
According to the Verizon Data Breach Investigations Report, the VAST majority of malware is delivered as an office document via an email attachment. Drill this into your people’s heads – if they get an attachment via email there is a better than even chance it isn’t what they think it. A good security training process will go a long way towards raising people’s awareness of these risks.
Only Open Attachments You Are Expecting
A common tactic is to hack into someone’s email account and send an email to all their contacts with a Ransom-ware payload. When you get the email you immediately you recognize the sender and the email looks 100% legit, maybe it’s even someone you’ve done business with.
Unless you were 100% expecting an email with an attachment from this specific individual on the EXACT matter referenced in the email – don’t proceed. Instead, CALL the person – don’t email them.
Why call? I’ve replied back to a suspicious email with something like “Did you mean to send this to me?” and get back (from the hacker’s no less) “Oh, yes. Very legit, please open the attachment.” Don’t email back to a suspicious email, pick up the phone!
With most law firms it is very common to have a folder where all client case files are organized – normally by client name – that everyone in the company can access.
Realize that is any of these users get Ransom-ware their machine, with access to all client data, can easily upload sensitive data then encrypt it for an embarrassing data breach. Not Good!!
Instead, think through a segmented approach to data organization. Only give access to files that people really need access to. Maybe you segment by attorney, or practice type, or region, – whatever makes sense for your practice.
Also segment by job role, ex: the person at the front desk who just manages everyone’s schedules might not need access to any client files. Limiting your exposure this way greatly reduces your exposure to an all-out data breach.
Another very common practice in law firms is to have thousands and thousands of documents from past cases. In some instances, firms are scanning all their old paper files into electronic form to save room on files and allow for easy retrieval but in effect, you are exposing this data to a data breach in a way that it simply wasn’t before.
In most cases when we look closely the firm is only ACTIVELY working on a few dozen files at any one time.
Why not take the inactive files and move them to offline storage. Microsoft Azure Storage Tiers offer solutions that are very inexpensive and flexible to segment your archival data from live data and further limit exposure to a data breach (assuming you are following best practices with off-line storage).
Partner With The Right IT Firm
Picking an IT firm can be tricky, especially with the risks faced by law firms today. Technology Associates has the knowledge and experience needed to help Legal firms navigate stormy IT waters with confidence.
For some tips on making the right decision for your practice, check out our post Choosing An IT Provider For Your Law Firm.