Lawyers who once sought stronger firewalls and tighter security to keep the bad guys out of their computer files are now hearing a sobering new message.
“The bad guys will get in, and you better plan for the crisis,” was the message from tech experts at the 2017 Virginia State Bar TECHSHOW.
Despite the latest in digital defenses, determined hackers can install ransomware or plunder data in almost any system, cyber gurus warned at the April 24 Richmond conference.
“We can’t keep the barbarians at the gate,” said former VSB president Sharon D. Nelson, TECHSHOW chair.
“You can’t protect. You can’t defend. All you can do it detect and respond,” read the warning in one presentation, quoting security expert Bruce Schneier.
Ransomware attacks increase
One of the scariest cyber threats is ransomware – a malicious program that can take over your computer, or your whole network, and block access to your files until you pay the ransom.
Incidents increased by 165 percent in 2015 and by 400 percent in 2016, according to Fairfax digital forensics technologist John Simek.
“It’s definitely growing,” said Jim Calloway with the Oklahoma Bar Association, who writes and lectures on law practice management.
The cost of the fix is growing, too, as perpetrators realize the effectiveness of their scheme. Where the average ransom amount was once about $100, the payoff now ranges from $300 to $3,000, Simek said. Payments in 2016 were expected to reach $1 billion, the FBI said.
At a recent conference in Emporia, two Virginia law firms reported paying $1,200 and $3,000 for the encryption keys to unlock their data, Nelson said.
An accidental click on an inviting email link can unleash the ransomware. A message will tell the user that payment must be made within a certain period or the walled-off data will be permanently unavailable, tech experts said.
For law firms, an attack usually brings all work to a stop as lawyers scramble to figure out what to do.
“It is a nightmare,” said Illinois lawyer Nerino Petro, the technology chief for an 18-partner firm. “Personally, there’s no punishment too severe for these SOBs. It is absolutely terrifying,” he continued.
Many firms promptly pay up to get back to business.
“To be honest, we often advise people just to pay the ransom,” an FBI official was quoted as saying in 2015.
Even lawyers who diligently back up their data using best practices sometimes agree to pay simply because it would take so long to restore all their files from their storage devices.
Purveyors of ransomware demand payment in bitcoin, the digital currency. Some large firms reportedly have established standing bitcoin accounts – dubbed “wallets” – so payoff money is readily available.
Petro said he would prefer to resist the crooks.
“I would rather lose a couple days of data than to pay these people one damn penny,” he said.
The other major crisis that law offices must plan for is a data breach, experts said.
Hackers see law firms as “one-stop shops,” the experts said.
“We are like a cornucopia for a bad guy,” Petro said. Law firms have high-value information, the data is well organized and security is often weak, he explained.
Besides client anger, public relations problems and loss of business from a data breach, an organization that fails to give prompt notice can be subject to as much as $150,000 in civil penalties under Va. Code § 18.2-186.6. The statute sets out notification requirements when a data breach occurs.
Incident response plan
Law offices need an incident response plan, the experts advised. The emergency file should include contact information for a data breach attorney (possibly called a “privacy” lawyer) and a digital forensics company, a copy of any insurance policies that might apply to the situation and contact information for the law office’s bank.
“Don’t worry about calling the bank,” Nelson said. “They get these calls all the time.”
Part of the response plan should be clear instructions on what employees should do.
“The last thing you need is an employee posting on Facebook, ‘What an exciting day; we had a data breach!’” Nelson said.
Prevention requires training
Most law firms by now are aware of the ethical requirements for at least minimal security precautions. Even with strong firewalls and best practices, however, the weak link often is an unsuspecting staffer.
Malicious links arrive in compelling emails, TECHSHOW speakers said. Hackers can make the email look like it came from top management or anyone on the staff.
“Any 13-year-old wannabe kid-hacker can spoof an address in a few minutes,” Nelson said.
Fear is a “big factor” in getting you to click the link. A popular lure for lawyers is an email with the message: “A bar complaint has been filed against you.”
The “number one thing” in preventing missteps is training staff “not to click on an email you don’t recognize,” said Reid F. Trautz of Washington, who writes and presents on law practice issues.
Services that help prevent such mistakes will first run tests to see how vulnerable an office is.
The trainers will send a harmless phishing email to see if anyone takes the bait. Another test is to leave a thumb drive lying in the open to see who recklessly sticks it in a computer to view the contents.
Having a training session that starts with such simulated attacks can reduce the risk of phishing success by 20 percent, one study showed.