by Jordan McQuown, CIO, LogicForce
Watching the news, you could easily come away with the impression that our greatest security threat emanates from state actors far away, seeking to hack into your law firm.
You might even feel that you are protected. After all, your firm put firewalls and strong external perimeter defense systems in place. Are you sure you didn’t overlook something?
Because in my experience, an external attack is far less likely to cause a data breach than incidental actions of internal employees. I have come to believe that the most prevalent cybersecurity threats are not direct attacks on your perimeter defenses from the outside. Unintentional actions by insiders expose your firm to much bigger risks.
How can you identify and manage these risks to prevent a data breach? I recommend starting by focusing on...
The Six Biggest Internal Cybersecurity Threats
To prevent threats, you must be aware of them. Recently, LogicForce profiled more than 300 law firms for our Law Firm Cyber Security Score Card. Based on those analyses and on my experience with many law firms, here are six major internal cyber security threats your firm should be aware of today:
Note that the first four of these cyber threats are accidental and usually unintentional in nature, while the last two are intentional or malicious.
Let’s examine how these six threats play out in the day-to-day business of law firms so your firm can be aware of them and take action.
1) Email Phishing Scams Can Expose Firm Data
According to the 2017 Verizon Data Breach Investigations Report, which analyzed over 40,000 cyber breaches, 85-90% of all cyber breaches occur because of targeted attacks against end users, with a high proportion of phishing attacks.
Through increasingly sophisticated wording and look-and-feel of phishing messages, employees are easily tricked into giving up their login credentials. Usually, this happens when employees click a legitimate-looking link. It takes them to a webpage that also looks legitimate. Once they enter their login credentials on that page, their details are stolen.
The victim’s gullibility grants the phisher full access to a firm’s email system, virtual private network (VPN), or other systems. It also enables attackers to install malware that gives outside users a backdoor into the system. With such access, your firm’s and its clients’ data can be taken, leaked, sold, ransomed or used for other nefarious purposes.
What’s most important to understand about this threat is that hackers are looking for the path of least resistance. A phishing scam that sends well-crafted emails to large numbers of users costs little to launch and can be very profitable. Since email phishing scams are usually successful, we can expect hackers to continue to use them.
Fortunately, there are three ways to reduce this threat. One is to install high quality, regularly updated, spam-blocking software. The second is to let a secure cloud-based browser handle any (mistaken) clicks of your users, which will neutralize malicious code outside your firm’s perimeter. The third is to train all firm employees as to what to look for, and what not to fall for. The best strategy is to combine these three.
2) Browser Based Exploits
One of the web’s inherent risks stems from browser-related exploits. There are mainly two ways browser vulnerabilities can lead to major damages. Automated remote attacks against locally installed browsers are the most concerning to your law firm.
Browsers have historically been one of the largest vectors of initial compromise. Attackers leverage the security vulnerabilities in regular browsers and the susceptibility of individuals to visit compromised websites.
After gaining control of the browser, adversaries drop exploit kits and launch malware on the local machine. They use the browser to trick users into entering their credentials, to retrieve an infected file, or to perform other actions that further compromise the local IT infrastructure.
Lastly, browsers are often used to transmit client files to sites and services outside of the purview of IT, which introduces additional risks associated with intentional or inadvertent insider actions.
Web-based email and sharing sites, such as Dropbox, often go unchecked. For IT, they create blind spots in information security. Many internet security solutions only scan traffic when you are behind the firm’s firewall, and often - due to privacy concerns - this data is not inspected for data loss prevention.
The good news is that there are products and strategies to mitigate this threat. Using a cloud browser that runs on an external machine essentially limits the exposure of your firm’s network and data, should users unknowingly access a compromised website.
A cloud browser also enables you to regulate what data are transferred out from the firm’s systems to personal webmail accounts or personal file sharing sites, putting the firm back in control of data handling.
3) External Drives and Devices That Go Missing
External drives, USB sticks, and other devices containing firm-related data often go missing. Not only does this happen more frequently than most people realize, but it also creates various problems:
- The missing drive or device may contain irreplaceable data.
- Typically, no one knows all the information that was on the drive or device. That is, an attorney or other firm employee might “think” that only certain files were on the drive or device, while this is often impossible to verify.
- 49 of 50 U.S. states require a data breach notification be sent if Personally Identifiable Information (PII) is involved. If it is uncertain what was on the missing drive or device, how can the firm determine what is required?
- Information on a storage device could be used for ransom, blackmail, or unfair economic advantage—or to gain access to your entire network.
Fortunately, these risks can be greatly reduced by using today’s data management and monitoring tools. Such tools make it very simple for you to know exactly what is on every one of the firm’s drives and devices.
When a hard disk or thumb drive goes missing, you’ll immediately know what next steps to take (for example, sending a PII notification). There are also more sophisticated data loss prevention tools that you should consider deploying. Here’s how they work:
- You write data to a drive that is then encrypted.
- To access the data, you must be connected to a cloud server and first authenticate your access.
- If you are not authenticated, you cannot access the data.
- If a non-authenticated person attempts to access the data a certain number of times, the device automatically wipes the data.
- Or a user can remotely set a wipe action. If and when the stolen or lost device comes online, it will be triggered to wipe all of its data.
4) Attorneys or Other Staff Using Public Wi-fi Networks
Attorneys who travel frequently expose their firm’s data and systems simply by logging on — or just leaving Wi-Fi turned on — in the airport, on the plane, in the hotel, in a coffee shop or on a client’s compromised network.
Are your lawyers putting their firm at risk on public WiFi?
If an attorney gains access to the Internet through unsecured Wi-Fi, then logs into an email account or the firm network, attackers can eavesdrop and capture all necessary information to breach your systems.
This threat is fairly easy to mitigate, for example with a cloud browser that allows the user to access the web only through an encrypted connection. Attorneys and other employees should also be instructed to turn off Wi-Fi in public if they are not using it.
Also, they should be trained to only connect through wireless systems that can be deemed safe and provide built-in encryption. The firm can also provide a secure VPN or personal hotspot which its employees can use to gain access to the internet from the road.
5) Insiders Taking Firm Data To Use For Blackmail Or To Start Their Own Practice
Lawyers tend to move around a good deal, with individual attorneys and entire practice groups leaving one firm for another or starting their own business. Often, according to their agreements with the firm and established norms, they are allowed to take active case data with them.
What’s not considered legitimate: taking with them firm-wide data that goes beyond their active cases.
An attorney or practice group leaving for greener pastures usually doesn’t face significant hurdles to copy data to a hard drive, a thumb drive, some other form of external media, or the cloud.
This often creates major problems. Not only can data taken this way be used for illegitimate economic advantage, but it can also be used for blackmail purposes: “If you don’t pay a ransom, the data will be released to the world.”
It is a surprisingly common and prevalent threat to law firms that attorneys leave and take internal data with them, either for economic or ransom purposes. Fortunately, the regular monitoring of data files and data access can help mitigate this risk.
For example, if you know an attorney (or any employee, for that matter) is about to leave the firm or could be considered “disgruntled”, you can begin to monitor their digital activity and limit access.
If you see that someone is accessing data files that have nothing to do with their active case load, or is comprehensively scanning and copying data from your network, you can take immediate action and look deeper into the potential problem.
6) Breaches Motivated by Revenge Or a Political Agenda
Certain cyber breaches are perpetrated by attorneys or employees who are seeking revenge or have a political agenda. Such malicious insiders don’t necessarily want to make money. They want to get even.
One prime example was the case of the Panama Papers, where someone associated with the international Mossack Fonseca law firm made public large amounts of data (background). The (unconfirmed) theory is that an IT employee became disgruntled and decided to expose confidential documents to get revenge.
Then there is Edward Snowden, who was hired by NSA contractor Booz Allen Hamilton. Snowden tried password after password to access systems he did not have clearance to — for months on end, yet was not discovered. His goal: expose information he found objectionable based on his political views.
Both of these scenarios can be addressed with the right technologies and processes. If you are aware of employees (or contractors) with certain political views, and your firm is engaged in activity that is counter to those views, it is wise to keep an eye on their digital activity.
If you have an employee who is disgruntled or who has made threats, it is advisable to monitor their digital activity.
This may sound somewhat “Big Brother” in nature. But to protect your client data, your reputation, and ultimately your firm’s financial solvency, this might be necessary.
There are sophisticated data and access monitoring tools that can help you track digital behavior and create alerts should a user trip certain thresholds – like copying documents unnecessary to their cases or trying to access systems and resources they are not authorized to see.
Next Steps to Improve Your Firm’s Internal IT Security
Law firms often spend a great deal of money to defend against external threats, and far too little against internal threats.
It’s always best to put your focus and your money where your greatest threats lie. In my experience, insiders - and the tools they use on a daily basis to perform necessary duties - pose the greatest threat to law firms.
Protecting your firm with a cloud browser against web-borne threats, conducting employee training, monitoring and document tracking, among other solutions, can go a long way towards mitigating any internal threats against your firm
If you’re not sure where your firm is at-risk, I recommend that you download LogicForce’s Law Firm Cyber Security Scorecard by LogicForce report.
About the author: Jordan McQuown is the Chief Information Officer at LogicForce. He consulted with numerous law firms in the areas of litigation support, electronic data discovery, and Information security practices. Jordan has conducted CLE presentations on eDiscovery, Information Security, and Litigation Technology for state and local seminars. He holds certifications including CISSP and from the Global Information Assurance Certification/SANS Institute including GSEC, GCIH, GCFA.