Tag: Cybersecurity

Ransom Demands: To Pay or Not to Pay?

As the threat of ransomware attacks against companies has skyrocketed, so has the burden on companies forced to decide whether to pay cybercriminals a ransom demand. Corporate management increasingly is faced with balancing myriad legal and business factors in making real-time, high-stakes “bet the company” decisions with little or no precedent to follow. In a recent advisory, the U.S. Department of the Treasury (Treasury) has once again discouraged companies from making ransom payments or risk potential sanctions.

OFAC Ransom Advisory

On September 21, 2021, the Treasury’s Office of Foreign Assets Control (OFAC) issued an Advisory that updates and supersedes OFAC’s Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, issued on October 1, 2020. This updated OFAC Advisory follows on the heels of the Biden Administration’s heightened interest in combating the growing risk and reality of cyber threats that may adversely impact national security and the economy.

According to Federal Bureau of Investigation (FBI) statistics from 2019 to 2020 on ransomware attacks, there was a 21 percent increase in reported ransomware attacks and a 225 percent increase in associated losses. All organizations across all industry sectors in the private and public arenas are potential targets of such attacks. As noted by OFAC, cybercriminals often target particularly vulnerable entities, such as schools and hospitals, among others.

While some cybercriminals are linked to foreign state actors primarily motivated by political interests, many threat actors are simply in it “for the money.” Every day cybercriminals launch ransomware attacks to wreak havoc on vulnerable organizations, disrupting their business operations by encrypting and potentially stealing their data. These cybercriminals often demand ransom payments in the millions of dollars in exchange for a “decryptor” key to unlock encrypted files and/or a “promise” not to use or publish stolen data on the Dark Web.

The recent OFAC Advisory states in no uncertain terms that the “U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands.” OFAC notes that such ransomware payments could be “used to fund activities adverse to the national security and foreign policy objectives of the United States.” The Advisory further states that ransom payments may perpetuate future cyber-attacks by incentivizing cybercriminals. In addition, OFAC cautions that in exchange for payments to cybercriminals “there is no guarantee that companies will regain access to their data or be free from further attacks.”

The OFAC Advisory also underscores the potential risk of violating sanctions associated with ransom payments by organizations. As a reminder, various U.S. federal laws, including the International Emergency Economic Powers Act and the Trading with the Enemy Act, prohibit U.S. persons or entities from engaging in financial or other transactions with certain blacklisted individuals, organizations or countries – including those listed on OFAC’s Specially Designated Nationals and Blacked Persons List or countries subject to embargoes (such as Cuba, the Crimea region of the Ukraine, North Korea and Syria).

Penalties & Mitigating Factors

If a ransom payment is deemed to have been made to a cybercriminal with a nexus to a blacklisted organization or country, OFAC may impose civil monetary penalties for violations of sanctions based on strict liability, even if a person or organization did not know it was engaging in a prohibited transaction.

However, OFAC will consider various mitigating factors in deciding whether to impose penalties against organizations for sanctioned transactions, including if the organizations adopted enhanced cybersecurity practices to reduce the risk of cyber-attacks, or promptly reported ransomware attacks to law enforcement and regulatory authorities (including the FBI, U.S. Secret Service and/or Treasury’s Office of Cybersecurity and Critical Infrastructure Protection).

“OFAC also will consider a company’s full and ongoing cooperation with law enforcement both during and after a ransomware attack” as a “significant” mitigating factor. In encouraging organizations to self-report ransomware attacks to federal authorities, OFAC notes that information shared with law enforcement may aid in tracking cybercriminals and disrupting or preventing future attacks.

Conclusion

In short, payment of a ransom is not illegal per se, so long as the transaction does not involve a sanctioned party on OFAC’s blacklist. Moreover, the recent ransomware Advisory “is explanatory only and does not have the force of law.” Nonetheless, organizations should consider carefully OFAC’s advice and guidance in deciding whether to pay a ransom demand.

In addition to the OFAC Advisory, management should consider the following:

  • Ability to restore systems from viable (unencrypted) backups

  • Marginal time savings in restoring systems with a decryptor versus backups

  • Preservation of infected systems in order to conduct a forensics investigation

  • Ability to determine whether data was accessed or exfiltrated (stolen)

  • Reputational harm if data is published by the threat actor

  • Likelihood that the organization will be legally required to notify individuals of the attack regardless of whether their data is published on the Dark Web.

Should an organization decide it has no choice other than to make a ransom payment, it should facilitate the transaction through a reputable company that first performs and documents an OFAC sanctions check.

© 2021 Wilson Elser
For more articles about ransomware attacks, visit the NLR Cybersecurity, Media & FCC section.

Privilege Dwindles for Data Breach Reports

Data privacy lawyers and cyber security incident response professionals are losing sleep over the growing number of federal courts ordering disclosure of post-data breach forensic reports.  Following the decisions in Capital One and Clark Hill, another district court has recently ordered the defendant in a data breach litigation to turn over the forensic report it believed was protected under the attorney-client privilege and work product doctrines. These three decisions help underscore that maintaining privilege over forensic reports may come down to the thinnest of margins—something organizations should keep in mind given the ever-increasing risk of litigation that can follow a cybersecurity incident.

In May 2019, convenience store and gas station chain Rutter’s received two alerts signaling a possible breach of their internal systems. The same day, Rutter’s hired outside counsel to advise on potential breach notification obligations. Outside counsel immediately hired a forensic investigator to perform an analysis to determine the character and scope of the incident. Once litigation ensued, Rutter’s withheld the forensic report from production on the basis of the attorney-client privilege and work product doctrines. Rutter’s argued that both itself and outside counsel understood the report to be privileged because it was made in anticipation of litigation. The Court rejected this notion.

With respect to the work product doctrine, the Court stated that the doctrine only applies where identifiable or impending litigation is the “primary motivating purpose” of creating the document. The Court found that the forensic report, in this case, was not prepared for the prospect of litigation. The Court relied on the forensic investigator’s statement of work which stated that the purpose of the investigation was to “determine whether unauthorized activity . . . resulted in the compromise of sensitive data.” The Court decided that because Rutter’s did not know whether a breach had even occurred when the forensic investigator was engaged, it could not have unilaterally believed that litigation would result.

The Court was also unpersuaded by the attorney-client privilege argument. Because the forensic report only discussed facts and did not involve “opinions and tactics,” the Court held that the report and related communications were not protected by the attorney-client privilege. The Court emphasized that the attorney-client privilege does not protect communications of fact, nor communications merely because a legal issue can be identified.

The Rutter’s decision comes on the heels of the Capital One and Clark Hill rulings, which both held that the defendants failed to show that the forensic reports were prepared solely in anticipation of litigation. In Capital One, the company hired outside counsel to manage the cybersecurity vendor’s investigation after the breach, however, the company already had a longstanding relationship and pre-existing agreement with the vendor. The Court found that the vendor’s services and the terms of its new agreement were essentially the same both before and after the outside counsel’s involvement. The Court also relied on the fact that the forensic report was eventually shared with Capital One’s internal response team, demonstrating that the report was created for various business purposes.

In response to the data breach in the Clark Hill case, the company hired a vendor to investigate and remediate the systems after the attack. The company also hired outside counsel, who in turn hired a second cybersecurity vendor to assist with litigation stemming from the attack. During the litigation, the company refused to turn over the forensic report prepared by the outside counsel’s vendor. The Court rejected this “two-track” approach finding that the outside counsel’s vendor report has not been prepared exclusively for use in preparation for litigation. Like in Capital One, the Court found, among other things, that the forensic report was shared not only with inside and outside counsel, but also with employees inside the company, IT, and the FBI.

As these cases demonstrate, the legal landscape around responding to security incidents has become filled with traps for the unwary.  A coordinated response led by outside counsel is key to mitigating a data breach and ensuring the lines are not blurred between “ordinary course of business” factual reports and incident reports that are prepared for litigation purposes.

© 2021 Bracewell LLP

Article By Philip J. BezansonSeth D. DuCharme, and Brittney E. Justice of Bracewell LLP

Fore more articles on cybersecurity, visit the NLR Communications, Media, Internet, and Privacy Law News section.

Ransomware Payments Can Lead to Sanctions and Reporting Obligations for Financial Institutions

With cybercrime on the rise, two U.S. Treasury Department components, the Office of Foreign Assets Control (“OFAC”) and the Financial Crimes Enforcement Network (“FinCEN”), issued advisories on one of the most insidious forms of cyberattack – ransomware.

Ransomware is a form of malicious software designed to block access to a system or data.  The targets of ransomware attacks are required to pay a ransom to regain access to their information or system, or to prevent the publication of their sensitive information.  Ransomware attackers usually demand payment in the form of convertible virtual currency (“CVC”), which can be more difficult to trace.  Although ransomware attacks were already on the rise (there was a 37% annual increase in reported cases and a 147% increase in associated losses from 2018 to 2019), the COVID19 pandemic has exacerbated the problem, as cyber actors target online systems that U.S. persons rely on to continue conducting business.

OFAC

The OFAC advisory focuses on the potential sanctions risks for those companies and financial institutions that are involved in ransomware payments to bad actors, including ransomware victims and those acting on their behalf, such as “financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response.”  OFAC stresses that these payments may violate US sanctions laws or OFAC regulations, and encourage future attacks.

OFAC maintains a consolidated list of sanctioned persons, which includes numerous malicious cyber actors and the digital currency addresses connected to them.[1]  Any payment to those organizations or their digital currency wallets or addresses, including the payment of a ransom itself, is a violation of economic sanctions laws regardless of whether the parties involved in the payment knew or had reason to know that the transaction involved a sanctioned party.  The advisory states that “OFAC has imposed, and will continue to impose, sanctions on these actors and others who materially assist, sponsor, or provide financial, material, or technological support for these activities.”

In addition to violating sanctions laws, OFAC warned that ransomware payments with a sanctions nexus threaten national security interests.  These payments enable criminals to profit and advance their illicit aims, including funding activities adverse to U.S. national security and foreign policy objectives.  Ransomware payments also embolden cyber criminals and provide no guarantee that the victim will regain access to their stolen data.

Any payment to those organizations or their digital currency wallets or addresses, including the payment of a ransom itself, is a violation of economic sanctions laws regardless of whether the parties involved in the payment knew or had reason to know that the transaction involved a sanctioned party.

OFAC encourages financial institutions to implement a risk-based compliance program to mitigate exposure to potential sanctions violations.  Accordingly, these sanctions compliance programs should account for the risk that a ransomware payment may involve a Specially Designated National, blocked person, or embargoed jurisdiction.  OFAC encouraged victims of ransomware attacks to contact law enforcement immediately, and listed the contact information for relevant government agencies.  OFAC wrote that it considers the “self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”  OFAC will also consider a company’s cooperation efforts both during and after the ransomware attack when evaluating a possible outcome.

Such cooperation may also be a “significant mitigating factor” in determining whether and to what extent enforcement is necessary.

FinCEN

FinCEN’s advisory also encourages entities that process payments potentially related to ransomware to report to and cooperate with law enforcement.  The FinCEN advisory arms these institutions with information about the role of financial intermediaries in payments, ransomware trends and typologies, related financial red flags, and effective reporting and information sharing related to ransomware attacks.

According to FinCEN, ransomware attacks are growing in size, scope, and sophistication.  The attacks have increasingly targeted larger enterprises for bigger payouts, and cybercriminals are sharing resources to increase the effectiveness of their attacks.  The demand for payment in anonymity-enhanced cryptocurrencies has also been on the rise.

FinCEN touted “[p]roactive prevention through effective cyber hygiene, cybersecurity controls, and business continuity resiliency” as the best ransomware defense.  The advisory lists numerous red flags designed to assist financial institutions in detecting, preventing, and ultimately reporting suspicious transactions associated with ransomware payments.  These red flags include, among others: (1) IT activity that shows the existence of ransomware software, including system log files, network traffic, and file information; (2) a customer’s CVC address that appears on open sources or is linked to past ransomware attacks; (3) transactions that occur between a high-risk organization and digital forensics and incident response companies or cyber insurance companies; and (4) customers that request payment in CVC, but show limited knowledge about the form of currency.

Finally, FinCEN reminded financial institutions about their obligations under the Bank Secrecy Act to report suspicious activity, including ransomware payments.  A financial institution is required to file a suspicious activity report (“SAR”) with FinCEN if it knows, suspects, or has reason to suspect that the attempted or completed transaction involves $5,000 or more derived from illegal activity.  “Reportable activity can involve transactions . . . related to criminal activity like extortion and unauthorized electronic intrusions,” the advisory says.  Given this, suspected ransomware payments and attempted payments should be reported to FinCEN in SARs.  The advisory provides information on how financial institutions and others should report and share the details related to ransomware attacks to increase the utility and effectiveness of the SARs.  For example, those filing ransomware-related SARs should provide all pertinent available information.  In keeping with FinCEN’s previous guidance on SAR filings relating to cyber-enabled crime, FinCEN expects SARs to include detailed cyber indicators.  Information, including “relevant email addresses, Internet Protocol (IP) addresses with their respective timestamps, virtual currency wallet addresses, mobile device information (such as device International Mobile Equipment Identity (IMEI) numbers), malware hashes, malicious domains, and descriptions and timing of suspicious electronic communications,” will assist FinCEN in protecting the U.S. financial system from ransomware threats.

[1] https://home.treasury.gov/news/press-releases/sm556

© Copyright 2020 Squire Patton Boggs (US) LLP
For  more articles on cybersecurity, visit the National Law Review Communications, Media & Internet section.

Reasons for Communicating Clearly With Your Insurer Regarding the Scope of Coverage Before Purchasing Cyber Insurance

Purchasing cyber insurance is notoriously complex—standard form policies do not currently exist, many key terms setting the scope of coverage have not been analyzed by courts, and cyber risks are complicated and constantly evolving.  Given these complexities, prospective policyholders should consider, before purchasing a cyber policy, communicating their expectations for coverage in clear and specific terms to their insurer.  Such communications, which can be conducted through an insurance broker, can help a policyholder obtain policy terms that accurately reflect their desired coverage.  Additionally, these communications create a written record of the contracting parties’ understanding, which may prove useful should the insurer later contend that coverage is not available consistent with these discussions and the policyholder’s expectations.

Singling out a key policy provision and examining the coverage issues that provision can present helps illustrate the potential value of such communication.  Currently, the high-profile Mondelez International, Inc. v. Zurich American Insurance Co. litigation provides an excellent opportunity to examine the coverage issues that can arise from one such provision:  the so-called “war exclusion.”  This exclusion, a variant of which is included in almost every insurance policy by insurers seeking to limit their exposure to potentially catastrophic losses that might result from war, may sound straightforward but can be difficult to apply, as the line between war and other conflicts is often fuzzy and fact-specific.  Compare In re Sept. 11 Litig., 931 F. Supp. 2d 496, 508 (S.D.N.Y. 2013), aff’d, 751 F.3d 86 (2d Cir. 2014) (concluding that the September 11, 2001 attack by Al Qaeda was an “act of war”), with Pan Am. World Airways, Inc. v. Aetna Cas. & Sur. Co., 505 F.2d 989, 1015 (2d Cir. 1974) (holding that the hijacking of an airplane by the Popular Front for the Liberation of Palestine was not the result of “war”).  This is especially true in the cyber context, where understanding the precise nature and purpose of a cyber attack is often difficult.  While the Mondelez case does not involve a dedicated cyber insurance policy—it concerns a property insurance policy that includes coverage for “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction”—it is still instructive because the insured seeks coverage for a cyber attack and the insurer disputes coverage based on the war exclusion, which almost all cyber insurance policies contain in some fashion.

The dispute in Mondelez arose when the policyholder suffered over one hundred million dollars in losses due to network disruptions caused by the NotPetya ransomware attack and sought coverage under their property insurance policy for “physical loss or damage to electronic data, programs, or software . . . .”  See Complaint, Mondelez International, Inc. v. Zurich American Insurance Co., No. 2018L011008, 2018 WL 4941760 (Ill. Cir. Ct., Oct. 10, 2018).  In response, the insurer denied coverage based on the war exclusion that precluded coverage for “loss or damage directly or indirectly caused by or resulting from . . . hostile or warlike action in time of peace or war, including action in hindering, combatting or defending against an actual, impending or expected attack by any:  (i) government or sovereign power (de jure or de facto); (ii) military, naval, or air force; or (iii) agent or authority of any party specified in i or ii above.”  In short, the policyholder believed it bought broad coverage for ransomware attacks, but now must litigate whether the NotPetya attack was a “warlike action” by a government “agent,” under circumstances where numerous sources link the cyber attack to Russia and its armed forces (though Russia denies any involvement).  While the Mondelez case is still in the early stages, and details of any communications among the parties regarding the wording and meaning of the war exclusion are not publicly known, the mere existence of this litigation highlights the challenges that can face a policyholder who learns only after a substantial loss that their insurer reads a key policy provision to preclude coverage that the policyholder expected to be available.

As noted above, communication prior to policy placement can be a valuable tool to secure clear wording for key policy provisions and potentially avoid this kind of situation.  While this may seem obvious, such communication is often overlooked by policyholders more focused on other policy details like limits and premiums.  A close review of the war exclusion helps illustrate the potential benefits of these communications.  While the precise phrasing of the war exclusion at issue in Mondelez is more typical of property policies than cyber policies, war exclusions in many cyber policies arguably apply to conduct not only by state actors but also by quasi-state actors or groups with political motives.  For this reason, policyholders may want to seek language specifying that the exclusion only applies to acts by a military force or a sovereign nation, as many cyber attacks are attributed to quasi-state actors or non-state groups with political ends, or are the subject of debated attribution.  Similarly, some war exclusions apply not only to specified conflicts such as war, invasion, and mutiny, but also to more amorphous conduct like “warlike actions”—policyholders seeking greater certainty may wish to avoid such language.  Further, as with any exclusion, avoiding overbroad introductory language (like that excluding any loss “in any way related to or arising out of” war) is generally in a policyholder’s interest.  And even if a war exclusion is broadly worded, some insurers will include a carve-back creating an exception for losses due to attacks on computer systems or breaches of network security, thus preserving cyber coverage even when the war exclusion might otherwise apply.  Given the impact that small changes in wording can have on the scope of coverage, communicating clearly—with respect to the war exclusion or any other key policy provision—can play a crucial role in assuring that a policyholder secures wording that provides the coverage they desire.  Of course, an insurer may respond to a policyholder by refusing to revise a policy term or insisting that a desired coverage is unavailable, in which case the policyholder has the benefit of understanding a policy’s purported scope prior to purchase and the opportunity to investigate coverage from other insurers.

In addition, communication allows a policyholder to make a record of their expectations as to the scope of coverage, which may prove useful if an insurer later refuses to provide coverage consistent with the expectations that the policyholder conveyed.  Many courts interpreting disputed policy language put substantial weight on an insured’s reasonable expectations and often rely on communications between policyholders and insurers to support a policyholder’s reading.  See, e.g., Monsanto Co. v. Int’l Ins. Co. (EIL), 652 A.2d 36, 39 (Del. 1994); Celley v. Mut. Benefit Health & Acc. Ass’n, 324 A.2d 430, 435 (Pa. Super. 1974); Ponder v. State Farm Mut. Auto. Ins. Co., 12 P.3d 960, 962 (N.M. 2000); Michigan Mutual Liability Co. v. Hoover Bros., Inc., 237 N.E.2d 754, 756 (Ill. App. 1968).  As the recently-issued Restatement of The Law of Liability Insurance observes, where “extrinsic evidence shows that a reasonable person in the policyholder’s position would give the term a different meaning” than the one advanced by the insurer, the policyholder’s proposed meaning will often control.  Another recent case addressing a war exclusion (completely outside the cyber context) demonstrates the role such communications may play in interpreting disputed policy provisions, as the court’s analysis of the exclusion included a review of the communications during the underwriting process between the insured, the broker, and the insurer and an examination of what those communications indicated about the parties’ intent for the exclusion’s application.  Universal Cable Prods., LLC v. Atl. Specialty Ins. Co., 929 F.3d 1143 (9th Cir. 2019).  While contested coverage provisions should generally be read in an insured’s favor so long as that reading is reasonable—even in the absence of favorable underwriting communications—the cases above underscore the potential value in establishing during the underwriting process a record of the insured’s expectations as to the scope of coverage (especially in an area such as cyber insurance, where guidance like prior court decisions is limited).

For these reasons, policyholders should consider clearly communicating their intentions to their insurer when purchasing cyber insurance—this may include communicating not just questions about the scope of coverage and requests for modifications to the policy, but also the concerns animating those questions and the goals behind those requested modifications.  When having such communications with cyber insurers, policyholders will generally want to work closely with an insurance broker knowledgeable about cyber insurance, and may also want to consult experienced coverage counsel.  Clear communication during the underwriting process can play an important role in helping policyholders obtain cyber coverage that will meet their expectations should they one day confront a cyber event.

© 2020 Gilbert LLP

ARTICLE BY Daniel I. Wolf at Gilbert LLP.

3 Cyberattacks and 3 Practical Measures Lawyers Can Take to Protect Themselves

Hackers are targeting lawyers with cyberattacks, and coronavirus is making things worse. With the recent Covid-19 pandemic and the resultant remote work, hackers are exploiting lawyers with even greater intensity. The ABA Journal recently reported that “scams multiply during the COVID crisis.”

The Top 3 Cyber Attacks Targeting Law Firms

You’re probably displaced from your usual working space and feeling out of whack. That sets the stage for hackers to advantage of the confusion — and your home computer setup. You need to know the traits of the most common cyberthreats so you can identify a scam.

1. Phishing Email Scams

Hackers send phishing emails that impersonate a legit sender and fool the recipient into giving up information. Most phishing scams trick their victims into clicking on malicious URLs. These phishing links redirect the victim to fake sites — most commonly, the spoofed login pages to Office 365 and online baking — and capture their username and password. Now that the hacker has these credentials, they can legitimately access confidential data or withdraw funds.

In 2018, nearly 80% of law firms experienced phishing attacks, according to security research firm Osterman Research. As COVID-19 increases anxiety and the amount of emails in your inbox, hackers have taken advantage. In mid-March 2020, right as COVID-19 ramped up in the United States, hackers purported to be the World Health Organization (WHO). The phishing email asked the victim to open an attachment containing official information on protecting yourself from the coronavirus. Little did they know that opening this attachment downloaded a keystroke logger that records what’s being typed. Keystroke logging is typically used to capture even more login credentials so the hacker can access as many sites and services as possible.

For further details, learn how viral coronavirus scams are attacking computers and smartphones.

2. Ransomware

Ransomeware is one of four of the biggest cybersecurity risks law firms face according to Law Technology Today. This cyberattack is a type of malware that, once installed, denies access to a computer system or data. Typically, email attachments, “malvertising”, or drive-by downloads install ransomware onto devices. To regain access to the compromised device, the victim must wire funds to the hacker. Even if the ransom is paid, it’s not guaranteed that the hackers will restore system access.

3. Data Breaches

Data breaches result in the loss of confidential data or the unauthorized access of that data. They occur after hackers execute a successful phishing or ransomware attack, which are common entry point of a data breach. The loss of this data could have devastating consequences on a law firm. If clients feel that their privacy was violated in the breach, they might sue.

3 Practical Cyberthreat Solutions Law Firms

Law firms can take several practical measures to protect their systems and data. Safeguarding identity and access, encrypting data, and investing in cybersecurity software (if possible) for anti-phishing and anti-malware will lower the risk of a successful cyberattack.

1. Encrypt Data

Lawyers rely on email and document sharing to run their firm. As these documents and communications travel across the internet, they can be intercepted. But when data is encrypted, it is substantially harder for a hacker to intercept. A VPN (Virtual Private Network) encrypts data in a cost-effective, non-intrusive, and reliable way. Creating a secure “tunnel” between your computer and the internet, VPNs protect data using 256-bit encryption. This protocol is so secure that banks and the U.S. government use it to protect classified data.

2. Use Two-Factor Authentication (2FA)

If you’re in the 50% of people who use the same passwords for personal and work accounts, then take note. Weak and reused passwords increase your chances of experiencing a cyberattack. 2FA adds protection to your username and password, making it much harder to compromise your credentials. Think of 2FA as a dynamic, time-sensitive, secondary password.

2FA uses a password alongside a second one-time passcode that is sent to the employee’s device. Unless this code is submitted on the follow-up login screen in a timely manner, it will expire. If codes are not used, then biometric authentication such as a retina or fingerprint scan provide the second factor.

3. Investing in Intelligent IT systems

When dealing with high volumes of very confidential data, you can never be too confident of your online security. The odds are not in your favor: one in four organizations in the US will be breached. And recovering from a breach is pricy. Law firms lose, on average, $4.62 million dollars every data breach. If you worry about the expense of cybersecurity solutions, remember that other number.

You can spend money on anti-phishing, anti-malware, and data loss prevention tools. Or you can not spend the money and risk having to pay a ransom, deal with legal fees, reputational damage, and more. Although it’s a tough pill to swallow in the current economic landscape, preventative security is cheaper than dealing with a breach.

If you cannot afford a cybersecurity system at this time, just update your software whenever you receive a notification. This is the easiest and quickest way to secure your systems. Software updates come with security fixes that will patch any vulnerabilities in your system. Hackers are known to exploit old/known vulnerabilities. Take the time to vet your network or cloud service providers to see what precautions they have to protect your firm from cybercriminals.

You Must Anticipate Cyberattacks on Your Firm 

Law firms possess sensitive data that hackers would love to leverage. Using intelligent IT systems, updating software, encrypting data, and setting up two-factor authentication are the most effective ways that lawyers can protect their data while working remotely during the COVID-19 lockdown.

© Copyright 2020 PracticePanther

ARTICLE BY PracticePanther.
For more legal tech considerations, see the National Law Review Law Office Management section.

Small Business Administration Loan Portal Compromised

Following the devastating impact of the coronavirus on small businesses, many small businesses applied for a disaster loan through the Small Business Administration (SBA) for relief.

Small businesses that qualify for the disaster loan program, which is different than the Paycheck Protection Program offered by the SBA, can apply for the loan by uploading the application, which contains their personal information, including Social Security numbers, into the SBA portal www.sba.gov.

Unfortunately, the SBA reported last week that 7,913 small business owners who had applied for a disaster loan through the portal had their personal information, including their Social Security numbers, compromised, when other applicants could view their applications on the website on March 25, 2020. On top of the turmoil the businesses have experienced from closure, owners now have to contend with potential personal identity theft.

The SBA has notified all affected business owners and is offering them free credit monitoring for one year. The notification letter indicates that the information compromised included names, Social Security numbers, birth dates, financial information, email addresses and telephone numbers.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.

For more on SBA Loans, see the National Law Review Coronavirus News section.

Make Remote Access for Your Employees Safer & Quicker with Disciplined User Rights

During times of disruption as well as an unpredictable future, your organization’s focus on “the basics” regarding a fundamental remote access strategy and design is essential. The newly widespread remote working environment dictated by various states’ stay at home orders due to the Coronavirus pandemic, demand that successful organizations of tomorrow fully grasp the fundamentals of safe and remote access protocols and prepare for the elastic growth of a disciplined remote access initiative.

The landscape of remote access is forever changed. Regardless of your organization’s existing hardware, software or network (WAN) and cloud design,  basic planning activities – which pave the runway for successful remote access – ensure your organization’s sustainability and enhance your competitiveness in a crowded marketplace.

First and foremost, it’s recommended you audit your current infrastructure design – including a review of your hardware, software, infrastructure, bandwidth, security etc. Any high performing organization’s s remote access strategy should maintain SLAs (Service Level Agreements) or project deadlines and objectives with all internal users and exercise resiliency when confronted with the performance, compliance, and security demands needed to scale.

Three core strategic planning activities are highly recommended prior to, or in parallel with, an audit of your remote access posture:

Clean Up Your Users

Identity hygiene is a constant necessity of any organization to ensure its security stance and guarantee fluidity in the face of dynamic change. Legacy user account cleanup falls into this category, but the lesser practiced aspects of identity hygiene include organization unit restructuring and security group management. These components of a well-tuned identity management infrastructure represent the organizational layout of a business and mapping of processes to business roles which too often grow organically as companies mature. Complacency to organic growth has led many organizations to make drastic and costly decisions to start over rather than re-organize, in order to remove the cancer that has developed in their identity management infrastructure.

Segment User Roles

Likewise, segmenting roles is critical to identity hygiene. Most enterprises have adopted the bifurcation of administrator and personal accounts to ensure audit trails but considerably fewer have aligned security stance to personnel role. As tenure grows and roles change to meet the needs of the organization, new rights and responsibilities are created and added to those individuals with few taken away as the firm’s requirements change. Aligning roles to responsibilities, and more importantly permissions, assures audit compliance without complex explanations and eases transition should those trusted employees ultimately leave the company.

Assign Least Access Rights to Segmented Roles

Finally, the selection of rights assigned to those segmented roles solidifies a corporate identity management strategy. Whether assigned through a workflow engine or maintained through formalized manual processes, assuring least access aligned to each role eliminates the organic growth of unnecessary permissions or access to no longer appropriate applications. This last part is a key facet of a comprehensive strategy that many organizations – including large enterprises – develop complacency around. And the removal of access is no longer strictly necessary. It is too easy to allow excuses that support and even justify this laxity but it’s this very lassitude for least access which opens doors to ransomware propagation, disgruntled and disaffected IT administrators and glaring audit infractions.

In summary, organizational resilience is steeped in discipline. Crisis management and the daily “X factor” can create havoc even with the best laid plans for systems maintenance. The ways in which your firm interacts with clients, partners, suppliers, and others will undoubtedly change with the heavy reliance on remote access capabilities. Those who grasp this concept now will be ahead of the game.

Remote access prowess is now an entry ticket to conducting business post-COVID-19 and absolutely can be viewed now as a true competitive differentiator. When organizations run with elephants there are only two types: 1/ the quick and 2/ the dead. Let’s encourage each other to be in the former category, rather than the latter.

© 2020 Plan B Technologies, Inc.. All Rights Reserved.

For more on remote work considerations during the COVID-19 Pandemic, see the National Law Review Coronavirus News section.

Cybersecurity Whistleblower Protections for Employees of Federal Contractors and Grantees

For information security professionals, identifying cybersecurity vulnerabilities is often part of the job.  That is no less the case when the job involves a contract or grant with the U.S. government.

Information security and data privacy requirements have become a priority at federal agencies.  These requirements extend to federal contractors because of their access to government data.  Often, cybersecurity professionals are the first to identify non-compliance with these requirements.  As high-profile data breaches have become more common, those who report violations of cybersecurity and data privacy requirements often experience retaliation and seek legal protection.

Reporting non-compliance or misconduct in the workplace can be necessary, but it can also be daunting.  It is important for cybersecurity whistleblowers to know their legal rights when disclosing such concerns to management or a federal agency.

In many cases, federal law protects cybersecurity whistleblowers who work for federal contractors or grantees.  This post provides an overview of those protections.

What cybersecurity requirements apply to federal contractors?

Federal contractors are subject to data privacy and information security requirements.

The Federal Information Security Management Act (“FISMA”) creates information security requirements for federal agencies to minimize risk to the U.S. government’s data.  FISMA also applies these requirements to state agencies administering federal programs and private business contracting with the federal government.  Federal acquisition regulations codify the cybersecurity and data privacy requirements applicable to federal contractors.  E.g., 48 C.F.R. §§ 252.204-7008, 7012 (providing for cybersecurity standards in contracts with the U.S. Department of Defense); 48 C.F.R. § 52.204-21 (outlining basic procedures for contractors to safeguard information processed, stored, or transmitted under a federal contract).  

Pursuant to the FISMA Implementation Project, the National Institute of Standards and Technology (“NIST”) produces security standards and guidelines to ensure compliance with FISMA.  Key principles of FISMA compliance include a systemic approach to the data that results in baseline controls, a risk assessment procedure to refine controls, and implementation of controls.  A security plan must document the controls.  Those managing the information must also assess the controls’ effectiveness.  NIST also focuses its standards on determining enterprise risk, information system authorization, and ongoing monitoring of security controls.

Essential standards established by NIST include FIPS 199, FIPS 200, and the NIST 800 series.  Core FISMA requirements include:

  • Federal contractors must keep an inventory of all of an organization’s information systems.
  • Contractors must identify the integration between information systems and other systems in the network.
  • Contractors must categorize information and information systems according to risk. This prioritizes security for the most sensitive information and systems.  See “Standards for Security Categorization of Federal Information and Information Systems” FIPS 199.
  • Contractors must have a current information security plan that covers controls, cybersecurity policies, and planned improvements.
  • Contractors must consider an organization’s particular needs and systems and then identify, implement, and document adequate information security controls. See NIST SP 800-53 (identifying suggested cybersecurity controls).
  • Contractors must assess information security risks. See NIST SP 800-30 (recommending that an organization assess risks at the organizational level, the business process level, and the information system level).
  • Contractors must conduct annual reviews to ensure that information security risks are minimal.

In addition to generally-applicable standards, individual contracts may create other cybersecurity or data privacy requirements for a government contractor.  Such requirements are prevalent when the contractor provides information security products or services for the government.

What protections exist for cybersecurity whistleblowers who work for federal contractors?

Federal law contains whistleblower protection provisions that may prohibit employers from retaliating against whistleblowers who report cybersecurity or data privacy concerns.  See Defense Contractor Whistleblower Protection Act, 10 U.S.C. § 2409; False Claims Act, 31 U.S.C. § 3730(h); NDAA Whistleblower Protection Law, 41 U.S.C. § 4712.  These laws protect a broad range of conduct.

Protected conduct under these laws includes:

  • Efforts to stop false claims to the government;
  • Lawful acts in furtherance of an action alleging false claims to the government; and
  • Disclosures of gross mismanagement, gross waste, abuse of authority, or a violation of law, rule, or regulation related to a federal contract or grant. Id.

These provisions have wide coverage.  They protect any employee of any private sector employer that is a contractor or grantee of the federal government.  In some cases, even the employer’s contractors and agents are protected.

An employer’s non-compliance with information security requirements could breach the employer’s contractual obligations to the federal government and violate federal law and regulation.  Thus, whistleblowers who report cybersecurity or data privacy concerns related to a federal contract or grant may be protected from employment retaliation.

What is the burden to establish unlawful retaliation for reporting cybersecurity concerns?

Exact requirements vary, but an employee typically establishes unlawful retaliation by proving that (1) the employee engaged in conduct that is protected by statute, and (2) the protected conduct to some degree caused a negative employment action.  See, e.g., 10 U.S.C. § 2409(c)(6) (incorporating burden of proof from 5 U.S.C. § 1221(e)); 41 U.S.C. § 4712(c)(6) (same); 31 U.S.C. § 3730(h)(1).  

Under some of the applicable protections, an employee need prove only that the protected conduct played any role whatsoever in the employer’s decision to take the challenged employment action.  See 10 U.S.C. § 2409; 41 U.S.C. § 4712.

What damages or remedies can a cybersecurity whistleblower recover for retaliation?

The relief available depends on which laws apply to the particular case.  Remedies may include an amount equal to double an employee’s lost wages, as well as reinstatement or front pay.  In some cases, a whistleblower may also recover uncapped compensatory damages for harms like emotional distress and reputational damage.  Additionally, a prevailing plaintiff can recover reasonable attorneys’ fees and costs.

Recently, a jury awarded a defense contractor whistleblower $1 million in compensatory damages.  The whistleblower proved that the employer more than likely retaliated by demoting him after he reported issues with tests related to a federal contract, according to the jury.  Specifically, the whistleblower alleged he reported and opposed management’s directive to misrepresent the completion status of testing procedures.

In a recent case under the False Claims Act, a whistleblower received more than $2.5 million for retaliation she suffered after internally reporting off-label promotion for a drug outside its FDA-approved use.  The False Claims Act protects employees from retaliation who blow the whistle on fraud against the government, including those who blow the whistle internally to a government contractor or grantee.

Do any court cases address whether cybersecurity whistleblowers are protected?

Yes.  Judges and juries have applied these laws to protect cybersecurity whistleblowers.

For example, in United States ex rel. Glenn v. Cisco Systems, Inc., defendant Cisco Systems settled for $8.6 million in what is likely the first successful cybersecurity case brought under the False Claims Act.  The plaintiff/relator James Glenn worked for Cisco and internally reported serious cybersecurity deficiencies in a video surveillance system, soon after which he was fired.  Cisco had sold the surveillance systems to various federal government entities, including the Department of Homeland Security, FEMA, the Secret Service, NASA, and all branches of the military.  After monitoring Cisco’s public pronouncements regarding the system and confirming the company had not solved the problems or reported vulnerabilities to customers, Glenn contacted the FBI.  Multiple states joined in the complaint and brought claims under state laws.

While the case did not proceed to litigation, Glenn received nearly $2 million of the settlement, and the federal government’s attention to the issue proves that cybersecurity and data privacy are of utmost importance.

Surely, as more of our lives and businesses move online, the government will place increased importance on contractors and grantees following data security and privacy requirements and disclosing known vulnerabilities.  Cybersecurity whistleblowers working for government contractors play an important part in revealing these vulnerabilities and keeping the federal government secure.  Still, these whistleblowers may experience retaliation after blowing the whistle internally at their place of work.

How can employees enforce these protections from retaliation?

Employees generally have the right to bring claims of unlawful retaliation for cybersecurity or data privacy whistleblowing in federal court.  However, some claims limit that right to whistleblowers who first exhaust all their administrative remedies.  For example, in some cases whistleblowers will first need to pursue relief from the Office of Inspector General of the relevant federal agency.  Additionally, cybersecurity whistleblower claims are subject to strict deadlines.  See, e.g., 31 U.S. Code § 3730; 10 U.S.C. § 2409; 41 U.S.C. § 4712.

© 2020 Zuckerman Law

SEC Examiners Release Cyber Observations: What You Need To Know

On January 27, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) announced its most recent Cybersecurity and Resiliency Observations. This report highlights specific practices that have been, and can be taken to enhance cybersecurity preparedness and incident response. The release of these observations is the latest move by the SEC demonstrating its increased attention to corporate cybersecurity practices. If you are a market participant supervised by OCIE, you may want to consider this report a benchmark to help navigate the SEC’s expectations when reviewing internal cybersecurity programs. The SEC has indicated that cybersecurity compliance and procedures remain a top priority—and they should be for you too.

OCIE Cybersecurity and Resiliency Observations

The OCIE, which reviews the effectiveness of market participants’ compliance programs, focused on seven areas in the cybersecurity report: governance and risk management; access rights and controls; data loss prevention; mobile security; incident response and resiliency; vendor management; and training and awareness. OCIE explained that it “felt it was critical to share these observations in order to allow organizations the opportunity to reflect on their own cyber-security practices.”

OCIE made clear that the most effective cybersecurity programs were those with proactive senior leaders committed to improving their organization’s cyber posture before an incident occurs. “Devoting appropriate board and senior leadership attention to setting strategy of and overseeing the organization’s cybersecurity and resiliency programs,” was a key observation.

Preventing data loss is a perennial focus of cybersecurity programs. OCIE observed a variety of tools and practices to ensure that sensitive data, including client information, was not lost, misused, or accessed by unauthorized users. These included frequent vulnerability scans of software and devices, utilizing encryption, keeping software patched with the latest updates, and monitoring for insider threats. On that last point, OCIE observed companies creating insider threat programs to identify specious behaviors, including escalating issues to senior leadership as appropriate.

Consistent with cybersecurity guidance from other sources but relatively new from the SEC, the report highlighted the risks associated with mobile devices, urging the implementation of security measures to prevent unauthorized access to sensitive systems. As corporate employees increasingly rely on mobile devices for work, the amount of sensitive data stored on those devices continues to grow, creating unique security concerns. OCIE observed companies implementing security measures that prevent users from saving sensitive information to personally owned devices and maintaining the ability to remotely clear data on employees’ devices, if necessary.

Addressing vendor management, OCIE underscored the increased risk related to vendor use of cloud services and the importance of due diligence when selecting vendors. Lastly, and arguably the most important topics addressed were incident response and training. OCIE stressed that market participants should be consistently testing and updating their incident response plans and training employees to identify and respond to cyber threats. These seven areas of focus provide important guidance for market participants regarding the expectations of OCIE examiners when conducting reviews.

Takeaways

With the release of the 2020 observations, the SEC continues to send the clear message that it expects market participants to not only respond timely and responsibly to cyber incidents, but also to proactively implement mitigation policies to reduce threats. Importantly, OCIE recognized that there is no one-size-fits-all approach.

Every organization should develop incident response plans that are tailored to their unique circumstances. Regulators continue to emphasize that is not enough to simply have policies on the books—companies must routinely update and practice those plans. Senior leaders should be involved in that process and should be prepared for the SEC and other regulators to closely examine their plans and other internal security protocols. Failure to do so is not only a regulatory issue, but creates private litigation risk.

The SEC is paying attention to and reiterating a common cybersecurity compliance roadmap: develop and implement cybersecurity plans to reduce risks, be prepared for regulatory scrutiny that may follow a cybersecurity incident, conduct staff training, and be prepared to respond to cybersecurity incidents.

© 2020 Bracewell LLP

How Law Firms Can Prevent Phishing and Malware

Law firms harbor information directly linked to politics, public figures, intellectual property, and sensitive personal information. Because lawyers rely on email to manage cases and interact with clients, hackers exploit technical vulnerabilities and people via email. After cybercriminals infiltrate a law firm’s systems in a successful phishing or malware attack, they leverage breached information for financial gain.

Starting with email, law firms must control the availability, confidentiality, and integrity of data. Or they will suffer breaches that bring increased insurance premiums, loss of intellectual property, lost contract revenue, and reputational damage.

Law firms aren’t securing their cloud technology

As lawyers adapt with best practices in technology, they’re moving client data and confidential documents from on-premise to cloud-hosted databases. 58% of firms use cloud technology to manage their clients and run their firms, according to the 2019 Legal Technology Survey Report on Cybersecurity and Cloud Computing from The American Bar Association’s Legal Technology Resource Center.

Migrating data to the cloud is a good thing, despite concerns about its availability. Data is more secure when stored in a system with modern infrastructure and security protocols, instead of stored locally on an outdated system no longer supported by vendors — such as a desktop device still running Windows 7 software, rather than Windows 10.

Even though the cloud is safe, law firms inevitably fall victim to cloud-based cyberattacks like phishing and malware.

26% of lawyers reported a security breach at their firm. TECHREPORT’s other findings explain why the breach rate is so high:

  • Fewer than half (41%) of all respondents changed their security practices after migrating to the cloud.

  • Only 35% of lawyers adopt more than one standard security measure — like encryption, anti-malware, anti-phishing, and network security.

  • 14% of respondents using cloud-based technology to manage their firm do not have any preventative security measures in place.

Changes to your firm's security policies.

Source: 2019 ABA TECHREPORT

How law firms can prevent phishing and malware

Lawyers know data breaches create downtime, loss of billable hours, and reputational harm. But they’re less aware of how to prevent those outcomes.

Phishing explained

Phishing happens via email, when hackers impersonate trusted senders to trick recipients into divulging sensitive or confidential information. Most often, phishers trick victims to click a malicious URL and interact with spoofed login pages. Microsoft is the most spoofed brand in the world, because it is the hub for organizations to collaborate and exchange information. If a lawyer enters their Office 365 credentials onto a spoofed login page, the username and password go directly to the hacker’s server.

Most common brands in phishing attacks.

Source: TechRadar

Successful credential-harvesting phishing attacks allow hackers to access data-dense services like Office 365, online banking, and practice management software. Stolen credentials lead to account takeover scenarios that result in further exploits, including network infiltration, database infiltration, and data exfiltration.

3 common characteristics of phishing attacks

  1. Subject lines that appear highly urgent

Many subject lines in phishing emails are in all-caps to pressure the recipient. Beware of subject lines that say “URGENT” or “Are you available?” An infographic from cybersecurity firm KnowBe4 reveals the top phishing email subject lines from 2019.

Top-clicked phishing tests.

Source: KnowBe4

  1. Spelling errors, grammar errors, and awkward language

Hackers need to deceive language parsing technology like Optical Character Recognition (OCR) that identifies suspicious content and blocks the message. To bypass anti-phishing algorithms, they’ll intentionally misspell words, use special characters that look like letters, and replace letters with lookalike numbers. Phishing URLs are often misspelled, or the domain name does not match the content of the page. Carefully read every URL to see if the words and letters match the content of the page.

  1. Unexpected or unusual requests for documents or money.

Phishers can spoof the sender name and domain of trusted contacts’ email addresses to lull recipients into a false sense of trust and compliance. Requests for sensitive information (bank routing numbers, trust account numbers, login credentials, document access, etc.) should be confirmed over the phone or any other communication channel besides that same email thread.

6 ways to prevent phishing at your law firm

  1. Check if email addresses associated with the firm were involved in high-profile breaches

Have I Been Pwned is a website that identifies compromised email addresses and passwords across online services that have been breached so that victims can change their password and prevent account access. Set up alerts through the website to monitor any future breaches.

Check if you have an account that has been compromised in a data breach.

Source: HaveIBeenPwned.com

  1. Install password managers

The best passwords don’t need to be memorized. 25% of people reuse the same password for everything, according to OpenVPN. Password manager services like 1Password (paid) and LastPass (free) use browser plug-ins and mobile applications to create, remember, and autofill complex, randomly-generated passwords. They identify weak or reused passwords across websites, and run a program to simultaneously rewrite and save new passwords on those sites.

LastPass password management software

Source: LastPass.com

  1. Make Multi-Factor authentication (MFA) mandatory at the firm

Multi-factor authentication, a secure login method using two or more pieces of confirmation, adds another step to the login process to prevent account takeover and the breach of confidential data. When username and password credentials are submitted to the login page, MFA generates and sends a unique alphanumeric code to the account holder’s email or phone for use as a secondary password. Unless this code is submitted on the follow-up login screen in a timely manner, it will expire.

Because email accounts and cell phone numbers are publicly available and can be compromised, use app-based and hardware-based MFA instead.

Solo and small/medium firms should use the Google Authenticator app, which continuously creates dynamic codes that swap out every 30 seconds and are unique to the device on which the app was installed.

Larger firms should adopt physical MFA. These “keys” plug into your laptop, tablet, or mobile device ports to authenticate access to software — and even the device itself. Because the keys are unique, hackers can’t access accounts supported by hardware MFA keys like Yubico’s YubiKey, which is used by every Google employee. If the key is lost, account access can be gained through backup codes or MFA codes delivered via email, mobile, or authentication apps.

Make Multi-Factor authentication mandatory at the law firm.

YubiKeys (Source: Wired Store)

  1. Participate in phishing awareness training programs

These software programs regularly educate and train employees on the characteristics of spam, phishing, malware, ransomware, and social engineering attack methods. Microsoft’s Attack Simulator and KnowBe4 offer free programs that train users not to interact with phishing attempts and give visibility into how well they’re trained, based on their click rate during the attack simulations. The 2019 Verizon Data Breach Investigation Report found that lawyers and other professional service workers were the third most likely group to click on phishing emails.

2019 Verizon Data Breach Investigation Report

Source: 2019 Verizon Data Breach Investigation Report, Figure 45

  1. Only connect to secure WiFi

Connecting to public WiFi in a cafe, airport, or hotel is dangerous. Malicious worms can transfer from one device to another if they are connected on the same network. When traveling, use a virtual private network (VPN) to extend a remote private network across the public network and secure the WiFi connection.

  1. Report suspicious emails

Popular email clients like Office 365 and Google Gmail offer suspicious message reporting. Use this built-in tool to improve their anti-phishing algorithm. If applicable, contact the IT team or cybersecurity staff at the firm so they can update security configurations in the email client or third-party security tool they may use.

What is malware?

Malware is any malicious file that launches scripts to hijack a device, steal confidential data, or launch a Distributed Denial of Service (DDoS) attack. Most malware is delivered via email. The 2019 Verizon Data Breach Investigation Report found that 51% of phishing attacks involve malware injections into a network. These malicious scripts are usually injected via spoofed DocuSign and Adobe attachments, or fraudulent billing and invoicing documents.

Ransomware is a subset of malware that hackers use to hold information or access hostage until a ransom is paid. Ransomware exploits frequently involve blackmailing tactics, and “sextortion” phishing emails (in which hackers purport to have footage of the victim watching pornography) are gaining popularity.

The 2019 ABA TECHREPORT noted that 36% of firms have had systems infected, and about a quarter (26%) of firms were unaware if they’ve been infected by malware. Larger firms, which tend to use on-premise software because of the up-front work associated with cloud migration, are the least likely to know if they’ve suffered a malware attack.

3 ways to prevent malware

  1. Monitor and update outdated software and hardware 

Application updates are necessary and should not be treated as optional. These software upgrades implement essential security features to ward off new strains of attacks. Not updating software and hardware provides short term savings, but will be very costly in the long run.

Be aware that:

  • Windows 7 is no longer supported since January 2020.

  • MS Office 2010 will no longer be supported as of October 2020.

  • Support for Adobe Acrobat X Reader/Standard/Pro, Adobe Acrobat XI, and Reader XI has ended. 88% of attorneys continue to use these highly-vulnerable Adobe programs, according to the 2019 ABA TECHREPORT.

  1. Monitor email for links and executables (including macro-enabled Office docs)

Executable files automatically launch actions, based on the code in the file. Apply software restrictions on your device to prevent executable files from starting up without your consent. Microsoft found that 98% of Office-targeted threats use macros. In 2016, Microsoft pushed a macro-blocking feature in Word to prevent malware infection.

Block macros and prevent malware in Microsoft Office Word.

Source: Microsoft Security Blog

  1. Hire a Managed Service Provider (MSP) for cybersecurity

MSPs offer an affordable portfolio of solutions to manage cyber risk across firm operations.

The solution: control the login process and data access in cloud-based apps

Lawyers are obligated to protect sensitive client information from phishing, malware, and ransomware. As breaches continue to make headlines, clients are selecting firms based on their data security. Law firms educated on confidentiality, security, and data control will be able to reassure security-conscious clients.

Cloud security — especially in email and document storage — relies on identity and access management. Establish a secure login process, govern user privileges in applications, and ensure that everyone at the firm can spot suspicious emails and attachments.

Choose cloud providers with a reputation for secure software and identify third-party security vendors for anti-phishing, anti-malware, and MFA.

© Copyright 2020 PracticePanther

Written by Reece Guida of PracticePanther.
For more on cybersecurity for legal and other businesses, see the National Law Review Communications, Media & Internet law section.