Tag Archive for: cyber threats

Law Firms And Banking Industry Cyber Attacks

Protecting your Information

Did you know that in 2011, 90 percent of American companies said they had been hacked at least once? In 2012 alone there were over 600 confirmed hacks and while many of those hacks targeted small businesses, a fair number targeted law firms.Read more about 2011 cyber attacks here.

Law firms are quickly becoming a popular target among cyber-thieves because of their clients. Law firms have access to personal information including bank accounts, social security numbers, birth dates etc. Many hackers also know that law firms are skilled at researching clients. Successful hackers can access information and quickly attack financial avenues.   Many law firms are now working with professional companies to stay on top of potential threats.  Since cyber hackers are learning more and finding more avenues for exploitation every day, it’s understandably difficult to keep up with the threats.

Security Improvement Against Cyber Attacks

In order to help improve security at law firms there are a few things firms should consider:

  1. Reveal cybersecurity profiles

Being more revealing within the law community is one way to help and learn from each other. Sharing potential security threats with like companies will help everyone. Information is power and law firms will be better able to protect themselves from threats they know about.

  1. Keep clients informed about potential data breaches:

Companies are generally required to inform clients or customers of potential hacks. It’s good business practice and it lets your clients know they can trust you. Letting a client know their personal information may have been compromised gives them time to prepare and protect themselves.

  1. Hire security:

Hire professionals who understand cyber-threats and are capable of working with your security systems. Communicating with other firms and businesses about vulnerabilities, threats and security systems will only work if you have someone qualified to put adequate protection in place.

  1. Pay attention:

Lawyers are busy. Between cases, paperwork and court sessions there is a lot to do! While this makes for excellent workers, it also makes for easy targets. Busy workers are less likely to notice or pay attention to warning signs that could indicate a breach. Simply encouraging lawyers to pay a little more attention to emails they open, links they download and unexpected updates on their computers can make a big difference.

  1. Have a plan:

One way you can help protect your company is by creating a cyber-threat plan. This may include training for lawyers and office staff on how to recognize and handle a potential breach. You will need to have a plan for contacting clients affected and dealing with potential information leaks. If your law firm experiences a major breach, you’ll likely need to work with the press to get your message out.

Plan now so that if the unexpected happens you can act quickly to stop as much damage as possible.

Keep Your Clients & Company Safe

While it is understandable that law firms may not want to spend a lot of money worrying about cyber threats, the potential for loss and damage is very real. Cyber-attacks are occurring more frequently at law firms because security is so much more lax than banking institutions. This is unfortunate because most law firms have a lot of personal information at hand. Fully grasping the potential for loss is necessary if law firms are to take the threats seriously.

We know that your law firm honors privacy and protection. Paying attention will help you keep your company and your clients safe.

State Data Breach Notification Laws

Data breaches have happened since the earliest days of recorded information, and recently have led to the downfall of CEO’s. As companies collect more and more data and consumers seek convenience while relying on technology, the potential damage from cyber security breaches and data stealing continue to escalate. If a client you are representing is caught in one of these internet break-ins; who is ultimately liable?

State by State

Currently cyber security is regulated at the State level as opposed to the Federal level. Right now forty-seven of the fifty States have cyber security or data protection laws in place, with a proposal in New Mexico for one that calls for hacked businesses to report to their customers a data breach within 45 days. This leaves South Dakota and Alabama as the only States in the Union to have not addressed this critical area of consumer protection.

There is discussion to move cyber security to a Federal level of legality as a tremendous amount of interstate commerce occurs via the internet, and many of the attacks to steal data are implemented over seas. Given the political climate it is unlikely that this will happen in the next few years.

Who is Responsible?State Laws Data Breach Notifications

Many states have recently strengthened their data laws to protect the consumers, most notably Florida and Delaware, both of which use the standard of “reasonable” actions by the business to dispose of consumer data or protect it. “Reasonable” however is a moving standard as the criminal element continuously improves their skill set in data attacks, and it literally takes only a moment’s lapse of judgment by an employee to open the door to a firm’s data.

Several well-known data breaches have actually happened from a physical access of information instead of a hack. A stolen laptop is essentially a skeleton key for criminals, and all companies should implement policies as to how to address this issue. Remote data wipe processes should be standard operating procedure.

Many companies attempt to contractually shift the risk and liability for data security to third party providers that focus on this, allowing these organizations to bring to bear greater resources due to their specialty in data transfer and security as opposed to selling garden hoses or muffins. These cyber protection agencies are employed in addition to the payment processors such as Square or the credit card companies, who have their own procedures in place to protect consumer data and assume partial responsibility for protection thereof. Real time threat assessment can help locate a breach before the stolen data can be misused to harm clients, thus reducing the damage and ultimate liability to companies.

Ultimately, anyone who has access to the data could be held liable if information falls into the wrong hands, as California’s laws clearly state. Thus everyone along the knowledge chain needs to take actions to prevent stealing of the information they possess. Read our previous blog about cyber liability insurance here.

Knowledge is Power

Data is the driving force in the interconnected Web 2.0 world we live in. Consumers have shifted away from cash for convenience, and huge amounts of information and money are hidden behind electronic locks that can be breached by keystroke or old fashioned snooping techniques. Both consumers and companies need to be smart about who they give their information to and companies have an obligation to keep consumer information safe.

Law Firm Cyber Threats

Forensics investigators at Mandiant, an American cybersecurity firm, have reported working on twice as many targeted attacks by Cyber threats from viruses  spam hackersso-called advanced persistent threat (APT) adversaries against law firms than in years past. The FBI, during the course of ongoing investigations, has identified noticeable increases in computer manipulation attempts against law firms. Over the last decade, malware has made its way into organizations large and small. The number of cyber threats has spiked, and malware has become both risky and sophisticated. So why go after law firms? The answer lies in intelligence on their corporate clients.

Why Law Firms Are Cyber Threat Targets

Law firms are increasingly getting targeted by crafty, low-profile targeted attacks going after intelligence on their corporate clients. The specific intrusion vector used against the firms is a spear phishing or targeted socially engineered e-mail designed to compromise a network by bypassing technological network defenses and exploiting the person at the keyboard. Phishing, spear-phishing and other malware attacks have become a daily reality for law firms. The dangers of these attacks is in the ability to obtain confidential company information that can radically change the stakes of a business transaction or legal matter. Law firms are also targeted because attackers find them to be attractive and somewhat soft targets for gathering the intelligence they want on a new weapons system or software, for example. Firms that represent clients in mergers and acquisitions, or civil litigation, seemed to be one of those targets getting hit, including when their clients are involved with deals involving Chinese companies.

Hackers exploit the ability of end users to launch the malicious payloads (the cargo of a data transmission) from within the network by attaching a file to the message or including a link to the domain housing the file and alluring users to click the attachment or link. Because subject lines tend to be crafted, in a way that uniquely engages recipients with content appropriate to their specific business interests, it makes network defense against these attacks difficult. Furthermore, the messages are made to appear as though they originate from a trusted source based on the relevance of the subject line. However, it should be noted that opening a message will not directly compromise the system or network because the malicious payload lies in the attachment or linked domain. Infection is bound to occur once someone opens the attachment or clicks the link, which launches a self-executing file and, through a variety of malicious processes, attempts to download another file. What’s unfortunately more disconcerting is that a majority of companies don’t know or can’t detect when they’ve been attacked. Having clouds, mobile environments and a multitude of other tech tools aren’t making detection any easier.

Holistic Approach To Online Security

However, phishing attacks against law firms are nothing new – the FBI warned firms back in November 2009 of a massive phishing attack aimed at them. The solution to this prevailing problem is taking a more holistic approach to security. Other firms have reported deploying an array of conventional tools— such as intrusion detection, firewalls, prevention systems, and data- loss prevention virtual sandboxes. In the event that a threat alert is received, a solution would be to use a threat management platform like NetCitadel, to analyze contextual data about the incident, including user identity, IP reputation, indicators of compromise and geolocation data for IPs.Malware Warning

At the end of the day security is an enterprise issue, which means that attorneys, firm management and support personnel need to be involved. Essentially some basic activities must be undertaken to establish a security program, no matter which best practice a firm decides to follow. It goes without saying that technical staff will manage most of these activities, but firm partners and staff also need to provide critical input. Firm management has to outline security roles and responsibilities, develop top-level policies and exercise oversight. What this means is reviewing findings from critical activities, receiving regular reports on intrusions, reviewing the security plans and budget, system usage and compliance with policies and procedures.

Advantages Of Taking Action

Making sure that action is taken towards any potential malware and breach notification laws will keep a firm in a far superior position with its clients, its state bar and any regulators that may become involved if it can show that its security program is aligned with best practices, and its management is engaged. Furthermore, it bodes well for the firm as it proves it is complying with its policies and procedures, and tools are deployed to detect malware and criminal behavior.