“We hacked your website and we’ve got data on you and your clients.”
The mere thought of hearing those words is enough to wake you up screaming in the middle of the night. Just as frightening is the idea of sitting helplessly and waiting for it to happen.
Yet that’s what many law firms are doing.
“Attorneys are increasingly targeted by cyber attackers,” writes Sherri Davidoff of LMG Security. “Breaches occur because an employee clicked on a link in a phishing email, downloaded an infected software utility, or took some other action that gave hackers an easy opportunity. From there, hackers can take over your firm’s computers, gather confidential information, and then resell it to buyers around the world.”
Davidoff’s company does penetration testing for law firms and other businesses. The goal is to discover system vulnerabilities before the bad guys do.
In this ALPS blog post, she writes of testing done for one of the biggest law firms in the world. LMG was able to enter the firm’s network via the web portal. From there, it was a breeze to download client billing information, confidential case notes, usernames and passwords for every client in their database.
Don’t worry. The story ended happily. “Within an hour, the flaw was fixed, and our client had locked up their customers’ information,” Davidoff writes. “They also reviewed their logs and verified that no one had previously accessed it.”
Think You’re Too Small to Be Targeted For a Hack?
Think again. Seventy-five percent of hacks are random crimes with no specific target, according to a report from Verizon.
Financial information is what’s usually sought.
“In 2013, an Ontario law firm lost a six-figure sum from a trust account when a bookkeeper clicked on a link in a phishing email,” Davidoff writes. “Hackers monitored her keystrokes and captured the firm’s online banking username and password as she logged on.”
Sometimes the hackers don’t just use the purloined data – they sell it. One large firm conducted a forensic audit and found not only that their security had been breached, but that the information was being sold online by subscription. Several foreign companies and at least one government had already subscribed.
Checklist to Protect Yourself
The best way to reduce your risk of a cyber-breach is to be prepared and stay alert.
Here is LMG Security’s 14-Step Cyber Security Checklist for Attorneys:
- Use Strong Policies and Procedures
- Know Where Your Data is Stored
- Deploy Effective Antivirus
- Protect Against Spam
- Update Your Software
- Encrypt, Encrypt, Encrypt
- Limit Your Staff Members’ Privileges
- Train Your Staff
- Vet Vendors and Third Parties
- Respond Quickly and Appropriately
- Keep Your Eye on the Clouds
- Get Insurance
- Test Your Security
Buy a Cyber-Liability Insurance Policy in North Carolina
Another smart move is to purchase cyber-liability insurance. Lawyers Insurance Agency – a subsidiary of Lawyers Mutual – is the endorsed provider of the NC Bar Association.
Contact Lawyers Insurance to learn more about cyber-liability protection in North Carolina.
- Lawyers Insurance http://www.lawyersinsuranceagency.com/service-areas/business/cyber-liability
- LMG Security lmgsecurity.com
- ALPS Blog https://blog.alpsnet.com/how-attorneys-get-hacked-and-what-you-can-do-about-it
- Verizon Data Breach Investigation Report https://www.verizonenterprise.com/verizon-insights-lab/dbir/