By Rob Kleeger- It’s not your firewall or anti-virus, it’s your business practice that puts you at risk…Are People the weakest link?

The daily news headlines reveal the escalating, and costly, problem of data breaches for companies. Today, we are in the midst of never ending articles, blogs and news reports regarding the latest cyber security breach.  The days of casual hackers going about their efforts for little more than bragging rights have now morphed into big business where the financial rewards can be substantial. This summer, the FBI has received reports of more than $18m in losses in the past year stemming from the spread of the bitcoin ransomware Cryptowall and its related variants. When you consider all the viruses on the Internet, the amount of revenue generated by these wicked hackers are collecting is astonishing.

All companies store assets digitally — from consumer personal data, to B2B customer data, to trade secrets, to confidential information relating to mergers and acquisitions. When it comes to Law Firms, they often handle sensitive data (i.e. intellectual property, corporate transactions, mergers and acquisitions, bank account #’s, social security #’s, client addresses, credit card information, health care information, personally identifiable information (PII) or personal data.)  

Additionally, law firms utilize many individuals who may have access to sensitive data beyond partners and associates, such as contract attorneys, paralegals, secretaries, and others. An incident could occur even when an employee of the firm accesses data improperly or when an employee mentions something to friends or family or on social media sites.

Law firms don’t have secrets, it’s the client information that hackers want. The reality is they have a digital treasure trove of data...which is a primary reason that law firms are and have been targets for numerous years.  

A major harm is reputation – no firm wants to go to a huge client and inform the client that it has lost the client’s sensitive data.

All businesses depend upon the integrity and their computer networks to operate efficiently, effectively, and securely.  Corporate directors and officers have fiduciary obligations to safeguard these assets, and lawyers additionally have an ethical obligation to their clients.

When a breach happens, reputational, regulatory, financial and legal risks proliferate.

Unfortunately, the key question that never seems to get answered is: What exactly are we at risk from and what are we supposed to do about it?

With over a decade of experience in handling hundreds of matters, here is the hint: It’s not your firewall or anti-virus, it’s your business practice that puts you at risk…People are the weakest link.

After doing research by asking people about their definition of data security, I found many varied definitions.  I’ve defined it in simple terms, “Data security is simply keeping sensitive information from falling into the wrong person’s hands.”  

Consider this hypothetical:

You are on your way into work and you spot a USB thumb drive on the ground. It has your company’s logo on it, so decided to pick it up and see what's on it so you can figure out who it belongs to and return it to them. You plug it into your office computer and there are no files or anything else that you can find that identifies the owner. Hmm. Since you did find that it’s a 128 Gigabyte USB stick, you keep the USB drive for your own use.  A few days later, you end up plugging it into your laptop and home computer to transfer sold old pictures and music from computers.

What you don’t know is that the USB drive contained malware that infected your computer once you inserted it and the auto-run feature ran. The malware connects outwardly to the hacker’s computer, giving them full access to your computer and your network.  The files are on a hidden partition that you were unable to delete and they have also now infected your home computer and laptop.  Rather than the hacker needing to gain access to your facility or hack into your network, he simply threw the pen drive into your parking lot from the street and voila!  They are in.

This all happens without anyone ever realizing it. This hacker now has access into your company and all of its data and quietly uses it for monetary gain.

Again, we find that the employee’s devices are the weakest link in most firms.  These devices are typically protected only by antivirus software and most hackers attack that point rather than working through a server or other external facing protections.

Don’t even get me started about Bring Your Own Disaster policies.  If your business has adopted bring your own device (BYOD) policy however, all that preparation for avoiding outside risks may have been for naught.  BYOD introduces some notable security threats firms didn’t have to worry about previously. Employees are unknowingly your greatest threat. Sources show that over 80% of security threat to mobile devices were careless employees.  They don’t mean to, it’s just that the nature of their job gives them direct access to highly sensitive data.   (https://www.checkpoint.com/press/2014/check-points-third-annual-mobile-security-survey-highlights-careless-employees-greatest-mobile-security-threat/ )

Part time employees come with all the same problems as full times employees only they know they are temporary. The risk is greater when there is no fostered loyalty. Sure you might have them sign the non-disclosure agreements, but if you are not keeping logs of everything going on, even the most trusted part-time employees might be very costly. They often have all the same access as full time employees without the responsibility. These resources are often easy phishing targets.  Former employees sometimes get hostile after downsizing occurs. They might feel wronged and feel entitled to compensation. Employees who know they are leaving are also a substantial risk. What information did they take before they gave notice? Also, what about the access that former employees often retain even after they’ve left the firm? Firms without quick and decisive employee exit strategies or clear restrictions for remote access can find that the path to data loss is much shorter than expected.

If a hacker has penetrated the network of a law firm’s client and or vice versa, the email of in-house counsel, for example, it’s then easy to identify the email address of outside attorneys and fabricate messages to deceive them.  Once access is gained to a computer system, they typically have the ability and desire to stay for a while and hide.  Their goal is not too snatch information and leave…but to remain secretly entrenched, monitoring the flow of information and harvesting more valuable information.  Hackers generally maintain a presence in corporate systems for months without detection, unless proactive measures are taken.

But two deeply researched reports being released this week underscore the less-heralded truth: The vast majority of hacking attacks are successful because employees click on links in tainted emails, companies fail to apply available patches to known software flaws, or technicians do not configure systems properly.

In the best-known annual study of data breaches, the Verizon 2015 Data Breach Investigations Report, it found that more than 23% of recipients opened emails which involved phishing (the security industry's term for trick emails).  Nearly 50% of users opened emails and clicked on malicious links within the first hour received.  Because so many people click on tainted links or attachments, sending phishing emails to just 10 employees will get hackers inside corporate gates 90% of the time, Verizon found.

Most organizations are spending a large amount of money protecting their perimeter from the hacker hooligans, however while that is necessary, it’s something that is often unstoppable.  Meaning, if your firm is targeted by a hacker, or a hacking organization...no matter how secure your perimeter is, most security experts will confirm that there is nothing you can do to prevent it from happening.  Regardless of size, financial resources, security, technology... People are the weakest link when it comes to data breaches.

So why are firms not spending more time focusing on understanding what and where the sensitive data is?  Once you’ve understood what and where the data is, you put controls in place and maintain logs and information for a later investigation.

By following the below tips, we think that it will have a tremendous impact to avoiding a reportable data breach:

  • Passwords should be complex - use of upper- and lower-case letters, numbers, symbols, and random phrases in your passwords.
  • Encrypt information as much as possible, whether produced to others or stored on your computers.
  • Have a proper file and data destruction policy.
  • Ask clients if any of their data warrants special protection and discuss how that data should be protected.
  • Turn on two-factor authentication to add another layer of security to your login process
  • Educate often and routinely.  When it comes to protecting a company from its own employees, there needs to be a balance between reasonable access and security.
  •  Enact/Revise/Update Internal Policies and Processes
    • Understand security issues that can arise in any cloud computing services and mobile devices.
  •  Conduct Risk Assessments, including “ethical hacking” assessments
    • Analyze internal security strength, audit, and policies
    • Assess strength of vendors, suppliers and partners and evaluate contracts
  • Formulate a Data Breach Response Plan
    • Crisis Response Team (internal and external)
    • Conduct breach response drills annually
    • Media/PR Strategy
  • Insure
    • Consider cyber risk policy to augment existing coverages