Supply Chains are the Next Subject of Cyberattacks

The cyberthreat landscape is evolving as threat actors develop new tactics to keep up with increasingly sophisticated corporate IT environments. In particular, threat actors are increasingly exploiting supply chain vulnerabilities to reach downstream targets.

The effects of supply chain cyberattacks are far-reaching, and can affect downstream organizations. The effects can also last long after the attack was first deployed. According to an Identity Theft Resource Center report, “more than 10 million people were impacted by supply chain attacks targeting 1,743 entities that had access to multiple organizations’ data” in 2022. Based upon an IBM analysis, the cost of a data breach averaged $4.45 million in 2023.

What is a supply chain cyberattack?

Supply chain cyberattacks are a type of cyberattack in which a threat actor targets a business offering third-party services to other companies. The threat actor will then leverage its access to the target to reach and cause damage to the business’s customers. Supply chain cyberattacks may be perpetrated in different ways.

  • Software-Enabled Attack: This occurs when a threat actor uses an existing software vulnerability to compromise the systems and data of organizations running the software containing the vulnerability. For example, Apache Log4j is an open source code used by developers in software to add a function for maintaining records of system activity. In November 2021, there were public reports of a Log4j remote execution code vulnerability that allowed threat actors to infiltrate target software running on outdated Log4j code versions. As a result, threat actors gained access to the systems, networks, and data of many organizations in the public and private sectors that used software containing the vulnerable Log4j version. Although security upgrades (i.e., patches) have since been issued to address the Log4j vulnerability, many software and apps are still running with outdated (i.e., unpatched) versions of Log4j.
  • Software Supply Chain Attack: This is the most common type of supply chain cyberattack, and occurs when a threat actor infiltrates and compromises software with malicious code either before the software is provided to consumers or by deploying malicious software updates masquerading as legitimate patches. All users of the compromised software are affected by this type of attack. For example, Blackbaud, Inc., a software company providing cloud hosting services to for-profit and non-profit entities across multiple industries, was ground zero for a software supply chain cyberattack after a threat actor deployed ransomware in its systems that had downstream effects on Blackbaud’s customers, including 45,000 companies. Similarly in May 2023, Progress Software’s MOVEit file-transfer tool was targeted with a ransomware attack, which allowed threat actors to steal data from customers that used the MOVEit app, including government agencies and businesses worldwide.

Legal and Regulatory Risks

Cyberattacks can often expose personal data to unauthorized access and acquisition by a threat actor. When this occurs, companies’ notification obligations under the data breach laws of jurisdictions in which affected individuals reside are triggered. In general, data breach laws require affected companies to submit notice of the incident to affected individuals and, depending on the facts of the incident and the number of such individuals, also to regulators, the media, and consumer reporting agencies. Companies may also have an obligation to notify their customers, vendors, and other business partners based on their contracts with these parties. These reporting requirements increase the likelihood of follow-up inquiries, and in some cases, investigations by regulators. Reporting a data breach also increases a company’s risk of being targeted with private lawsuits, including class actions and lawsuits initiated by business customers, in which plaintiffs may seek different types of relief including injunctive relief, monetary damages, and civil penalties.

The legal and regulatory risks in the aftermath of a cyberattack can persist long after a company has addressed the immediate issues that caused the incident initially. For example, in the aftermath of the cyberattack, Blackbaud was investigated by multiple government authorities and targeted with private lawsuits. While the private suits remain ongoing, Blackbaud settled with state regulators ($49,500,000), the U.S. Federal Trade Commission, and the U.S. Securities Exchange Commission (SEC) ($3,000,000) in 2023 and 2024, almost four years after it first experienced the cyberattack. Other companies that experienced high-profile cyberattacks have also been targeted with securities class action lawsuits by shareholders, and in at least one instance, regulators have named a company’s Chief Information Security Officer in an enforcement action, underscoring the professional risks cyberattacks pose to corporate security leaders.

What Steps Can Companies Take to Mitigate Risk?

First, threat actors will continue to refine their tactics and techniques. Thus, all organizations must adapt and stay current with all regulations and legislation surrounding cybersecurity. Cybersecurity and Infrastructure Security Agency (CISA) urges developer education for creating secure code and verifying third-party components.

Second, stay proactive. Organizations must re-examine not only their own security practices but also those of their vendors and third-party suppliers. If third and fourth parties have access to an organization’s data, it is imperative to ensure that those parties have good data protection practices.

Third, companies should adopt guidelines for suppliers around data and cybersecurity at the outset of a relationship since it may be difficult to get suppliers to adhere to policies after the contract has been signed. For example, some entities have detailed processes requiring suppliers to inform of attacks and conduct impact assessments after the fact. In addition, some entities expect suppliers to follow specific sequences of steps after a cyberattack. At the same time, some entities may also apply the same threat intelligence that it uses for its own defense to its critical suppliers, and may require suppliers to implement proactive security controls, such as incident response plans, ahead of an attack.

Finally, all companies should strive to minimize threats to their software supply by establishing strong security strategies at the ground level.

What Software Is Used in a Law Firm?

Law firms leverage a spectrum of digital solutions to streamline their operations. From intricate case analysis with legal research platforms to seamless accounting with legal billing software, technology has become the unseen backbone of a successful practice. In fact, 77% of firms worldwide have reported increasing legal tech usage at their organization in the past few years.

This piece aims to explore the diverse digital tools essential for legal professionals, showcasing how these technologies and legal software examples collectively enhance the operational efficiency of a law firm.

What Software Does a Lawyer Use?

Lawyers today rely on a variety of software to maintain their competitive edge. Here’s a brief overview of the most commonly used software:

CASE MANAGEMENT SOFTWARE

Legal case management software serves as the operational hub for many law firms. It allows legal professionals to organize case files, track deadlines, and manage day-to-day tasks. High-quality case management software will also offer calendar integration, task assignment, and advanced reporting, all of which promote collaboration among team members and boost law firm growth.

COMMUNICATION TOOLS

Are law firms using Slack for communication? Texting? Teams? Numerous communication tools exist, but the best option is communicating through practice management software. With this method, users can save various conversations to different clients and matters, ensuring the recording and organization of all conversations. Firms can also easily communicate with their clients if the practice management software has a client portal to exchange information and documents securely.

DOCUMENT MANAGEMENT SOFTWARE

With the bulk of legal work being document-intensive, legal document management software is indispensable. It allows for secure storage, quick retrieval, and easy sharing of documents. Robust search functionality is a hallmark of this software, enabling lawyers to find specific documents or reference materials in seconds. Version control is also crucial, ensuring everyone works on the latest document without losing prior edits.

BILLING SOFTWARE

Billing software automates invoicing, tracks billable hours and expenses, and manages client payments. It is often a part of case management software, providing a seamless transition from work performed to invoice generated. Modern billing software bolsters trust through transparent, customizable invoices that outline specific actions taken with only a few clicks of a button.

LEGAL RESEARCH SOFTWARE

Lawyers use this software to navigate the vast ocean of legal precedent and statutory material. When initiating a research project, approximately 38% of attorneys typically start with well-known search engines, and 37% prefer using paid online legal databases, illustrating the reduced reliance on printed materials, which only 4% of lawyers now use as a starting point. Legal research software boasts powerful search features, annotation capabilities, and collaborative functions, seamlessly connecting lawyers with the precise information they need for their cases.

What Is the Best Legal Office Management Software?

Identifying the best legal office management software involves looking for key features like the following:

  • User-Friendly Interface: Reduces training time and enhances productivity.
  • Robust Security Features: Protects sensitive client information.
  • Comprehensive Case Management: Manages all case-related information in one place.
  • Native ePayments: Makes it easy for clients to pay their invoices.
  • Seamless Billing: Offers efficient time tracking and invoicing.
  • eSignature Capabilities: Reduces the signing process to mere minutes.
  • Effective Client Communication Tools: Enhances client engagement with secure portals.
  • Document Handling: Organizes documents with their corresponding matters.

What Is CRM for Law Firms?

CRM software for law firms focuses on client relationship management, a fundamental aspect for any law firm looking to grow and maintain a strong client base. CRM systems help attorneys track interactions with current and potential clients. These features are essential in a field where timely and personalized communication can significantly impact client satisfaction and retention.

A well-designed CRM tool will assist with the following:

  • Automated Intake Forms: Client intake and CRM software go hand in hand, and automated intake forms are a must-have feature. This feature ensures that client data is accurately and efficiently transferred to your CRM, reducing manual data entry and enhancing the accuracy of client information.
  • Custom Tags and Workflows: Custom software tags make organizing client information more manageable. Firms can categorize contacts as clients, prospects, or professional contacts and even filter these tags for business insights. Automated workflows enable the creation of triggered tasks and events, improving client interaction and ensuring no one misses critical deadlines or appointments.
  • Intuitive Dashboard: You’ll want an intuitive dashboard that offers a comprehensive view of case statuses, including contact and matter details, account balances, and payment information. This centralized view aids in better case management and client service.
  • Client Communication and Reminders: Look for CRM software that automates the scheduling process, including sending automatic meeting reminders via email, SMS text, or through the client portal. This feature ensures effective engagement with clients at various touchpoints.

The ability to blend CRM with existing practice management software is beneficial for law firms. Lawyers can access everything from case documents to client communication histories in a single system, which reduces the risk of errors likely to occur when flipping between different platforms.

What Accounting Software Do Law Firms Use?

Law firms use specialized accounting software to handle legal-specific financial needs like trust accounting, billing, and expense tracking. With accurate accounting, law firms can maintain financial compliance and keep a pulse on their financial health.

Efficient law firm accounting software should also automate time-consuming tasks like invoicing, expense tracking, and financial reporting. This automation saves valuable time, allowing lawyers to focus on client cases rather than financial administration. Moreover, it helps in forecasting and budgeting, which is essential for strategic planning and growth.

For law firms, an integrated approach to software solutions is the best choice. While standalone accounting programs exist, law practice management software with accounting features offers a more streamlined experience. These integrated solutions reduce the need for multiple software platforms, simplifying workflows and minimizing the risk of data entry errors.

Intellectual Property for the Metaverse

How do you use the patent system to protect inventions related to the metaverse?

What is the Metaverse?

Merriam-Webster defines the metaverse as “a persistent virtual environment that allows access to and interoperability of multiple individual virtual realities.” The term “metaverse” originates from dystopian science fiction novels in which it referred to an immersive, computer-generated virtual world. Today’s “metaverse” is now firmly integrated into the technology sector and can be thought of as a common virtual world shared by all users across a plurality of platforms. Examples of metaverse-related technology includes the software that generates these virtual environments, as well as virtual reality (VR) and augmented reality (AR) headsets and other devices that enable human interaction with the environment and representations of other humans within it.

The adoption of metaverse-related technology is expanding. In 2021 the company then known as Facebook rebranded to “Meta” in an effort to emphasize the company’s commitment to developing a metaverse. In Fall of 2022, Apple announced the development of its own VR/AR headset. 2022 also saw the launch of the first Metaverse Fashion Week.

These events are indicative of the growing emphasis on the metaverse and the expectation amongst technology companies that the metaverse will be the eventual successor to the internet, smartphones, and/or social media. Applications of the metaverse are not limited to socialization and gaming—as the metaverse expands there is increased acknowledgment of the benefits it may provide in other settings, including in education, finance, and medicine.

As patent attorneys and innovators, we ask: How do you use the existing framework of the patent system to best protect inventions related to the metaverse?

Using Patents to Protect Inventive Concepts in the Metaverse

In this blog post, we explore considerations for protecting inventions in and related to the metaverse. Because many of these technologies are new and the industry surrounding the metaverse is in its infancy, inventions made today may prove to be quite valuable in the coming years. Protecting these inventions today is likely to be well worth the investment in the future. Inventive concepts in the metaverse can be protected using both utility patents which focus on the functional benefits of an invention and design patents which focus on the ornamental aspects of an invention.

Utility Applications for Metaverse

Utility patents may be used to protect the functional aspects of hardware or software-based innovative technologies in the metaverse.

Innovators in the metaverse environment might pursue patent protection on technologies associated with headsets, displays, cameras, user control interfaces, networked storage and servers, processors, power components, interoperability, communication latency, and the like. These hardware-based inventions for the metaverse may be a natural expansion of those previously developed for augmented and virtual reality, video-game technology, or the internet. Accordingly, patent applicants may look to those fields for best practices in protecting their hardware-based inventions. As with any patent application, identifying a point of novelty early on in the process is essential to deciding whether and how to pursue patent protection.

Software-based inventions may include technologies associated with performing tasks in the metaverse, such as representation of virtual environments and avatars, speech/voice processing, and blockchain transactions (e.g., for purchasing virtual goods). These software-based inventions may face additional challenges at the U.S. Patent and Trademark Office (USPTO), where the patent eligibility bar under 35 U.S.C. §101 prohibits the patenting of “abstract ideas” which may include methods of organizing human activity, mental processes, and mathematical concepts. It is typical for software-related patent applications to receive a patent eligibility rejection during the examination process.

One challenge in patenting software-based applications for the metaverse includes the fact that software that merely implements a process that is equivalent to a known process outside of the metaverse environment is unlikely to be allowed by the USPTO. However, a software-based invention that accounts for the changes introduced by being in a metaverse environment and addresses what specific problems were unique to the metaverse may be found patentable by the USPTO. Thus, best practices for drafting patent applications related to the metaverse may be to include details surrounding the considerations taken to account for the change in operating in the metaverse environment as opposed to a non-metaverse environment in any patent applications.

Additionally, while patent applicants may draft patent applications with the USPTO in mind, applicants should also consider the intricacies of claiming patent protection for software related technologies on a global basis. For example, patent applicants should consider that patents for software processes are more difficult to acquire in Europe unless clear indications of how a software-based invention provides a technical solution to a technical problem are included in the application.

Design Applications for Metaverse

Innovators in the metaverse may also use design patents to protect ornamental aspects of their invention. For example, fashion companies may seek protection of their branded objects within the metaverse. Technology companies may try to protect the ornamental features of their headsets or user interfaces.

The protection of objects within the metaverse presents an interesting avenue for patent protection. Objects displayed within the metaverse may be protected similarly to how innovations in video-game technology, web applications and graphical user interfaces are currently protected using design patents. For example, representations of physical items within a virtual environment can be considered computer-generated icons that can be protected so long as they are shown in an embodiment tying them to an article of manufacture such as a computer screen, monitor, other display panel, or any portion thereof in compliance with 35 U.S.C. 171. Similarly, movement of items within a multiverse environment can be protected similar to how changeable computer generated icons are protected today.

Again, while patent applicants may focus on the requirements of the USPTO, it is important to note that the metaverse is inherently global in its nature and that industrial design applications across the globe may have different requirements. For example, Europe does not require a display screen for industrial designs. Accordingly, comprehensive strategies for design protection of metaverse related technologies may consider the nuances of seeking industrial design protection in various jurisdictions.

Other Methods for Protecting Inventive Concepts in the Metaverse

As with any product or company, a comprehensive strategy for intellectual property protection includes not only patents but also trademarks and copyrights. As intellectual property attorneys consider the best ways to protect a client’s product, they may often turn to trademarks and copyrights in connection with design and utility patent applications to provide more holistic protection of intellectual property assets. For example, fashion-based companies may utilize a combination of trademark protection and design patent protection for their brands and the innovative designs for which they are known in the metaverse. Software-based companies may turn to a combination of copyright and utility patents to protect innovative functionality for the metaverse.

Concluding Thoughts

The growth in use of utility and design patent applications to protect concepts related to the metaverse is immense. One study conducted by IALE Tecnología found that “over the past five years, metaverse-related patent applications have doubled to more than 2,000.” This rapid expansion in patents for innovative concepts surrounding the metaverse is only expected to advance in the coming years.

Cohesive and comprehensive strategies involving utility patents, design patents, trademarks, copyrights and trade secrets are likely to provide the best protection to innovators operating in the metaverse.

©1994-2023 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

For more Intellectual Property Legal news, click here to visit the National Law Review.

Secure Software Regulations and Self-Attestation Required for Federal Contractors

US Policy and Regulatory Alert

Government contractors providing software across the federal government’s supply chain will be required later this year to comply with a new Secure Software Design Framework (SSDF). The SSDF requires software vendors to attest to new security controls in the design of code used by the federal government.

Cybersecurity Compromises of Government Software on the Rise

In the aftermath of the cybersecurity compromises of significant enterprise software systems embedded in government supply chains, the federal government has increasingly prioritized reducing the vulnerability of software used within agency networks. Recognizing that most of the enterprise software that is used by the federal government is provided by a wide range of private sector contractors, the White House has been moving to impose a range of new software security regulations on both prime and subcontractors. One priority area is an effort to require government contractors to ensure that software used by federal agencies incorporates security by design. As a result, federal contractors supplying software to the government now face a new set of requirements to supply secure software code. That is, to provide software that is developed with security in mind so that flaws and vulnerabilities can be mitigated before the government buys and deploys the software.

The SSDF as A Government Response

In response, the White House issued Executive Order 14028, “Executive Order on Improving the Nation’s Cybersecurity” (EO 14028), on 12 May 2021. EO 14028 requires the National Institute of Standards and Technology (NIST) to develop standards, tools, and best practices to enhance the security of the software supply chain. NIST subsequently promulgated the SSDF in special publication NIST SP 800-218. EO 14028 also mandates that the director of the Office of Management and Budget (OMB) take appropriate steps to ensure that federal agencies comply with NIST guidance and standards regarding the SSDF. This resulted in OMB Memorandum M-22-18, “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” (M-22-18). The OMB memo provides that a federal agency may use software subject to M-22-18’s requirements only if the producer of that software has first attested to compliance with federal government-specified secure software development practices drawn from the SSDF. Meaning, if the producer of the software cannot attest to meeting the NIST requirements, it will not be able to supply software to the federal government. There are some exceptions and processes for software to gradually enter into compliance under various milestones for improvements, all of which are highly technical and subjective.

In accordance with these regulations, the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security issued a draft form for collecting the relevant attestations and associated information. CISA released the draft form on 27 April 2023 and is accepting comments until 26 June 2023.1

SSDF Implementation Deadline and Requirements for Government Suppliers

CISA initially set a deadline of 11 June 2023 for critical software and 13 September 2023 for non-critical software to comply with SSDF. Press reports indicate that these deadlines will be extended due to both the complexity of the SSDF requirements and the fact that the comment period remains open until 26 June  2023. However, CISA has not yet confirmed an extension of the deadline.

Attestation and Compliance with the SSDF

Based on what we know now, the attestation form generally requires software producers to confirm that:

  • The software was developed and built in secure environments.
  • The software producer has made a good-faith effort to maintain trusted source code supply chains.
  • The software producer maintains provenance data for internal and third-party code incorporated into the software.
  • The software producer employed automated tools or comparable processes that check for security vulnerabilities.

Software producers that must comply with SSDF should move quickly and begin reviewing their approach to software security. The SSDF requirements are complex and likely will take time to review, implement, and document. In particular, many of the requirements call for subjective analysis rather than objective evaluation against a set of quantifiable criteria, as is usually the case with such regulations. The SSDF also includes numerous ambiguities. For example, the SSDF requires versioning changes in software to have certain impacts in the security assessment, although the term “versioning” does not have a standard definition in the software sector.

Next Steps and Ricks of Noncompliance

Critically, the attestations on the new form carry risk under the civil False Claims Act for government contractors and subcontractors. Given the fact that many of the attestations require subjective analysis, contractors must take exceptional care in completing the attestation form. Contractors should carefully document their assessment that the software they produce is compliant. In particular, contractors and other interested parties should use this opportunity to share feedback and insights with CISA through the public comment process.

K&L Gates lawyers in our National Security Practice are closely tracking the implementation of these new requirements.


1 88 Fed. Reg. 25,670.

Copyright 2023 K & L Gates

Software as a Medical Device: Challenges Facing the Industry

SaMD Blog Series: Introduction

Editor’s Note: We are excited to announce that this article is the first of a series addressing Software as a Medical Device and the issues that plague digital health companies, investors, clinicians and other organizations that utilize software and medical devices. We will be addressing various considerations including technology, data, intellectual property, licensing, and contracting.

The intersection of software, technology and health care and the proliferation of software as a medical device in the health care arena has become common place and has spurred significant innovations. The term Software as a Medical Device (SaMD) is defined by the International Medical Device Regulators Forum as “software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device.” In other words, SaMD need not be part of a physical device to achieve its intended purpose. For instance, SaMD could be an application on a mobile phone and not be connected to a physical medical device.

With the proliferation of SaMD also comes the need for those building and using it to firmly grasp legal and regulatory considerations to ensure successful use and commercialization. Over the next several weeks, we will be addressing some of more common issues faced by digital health companies, investors, innovators, and clinicians when developing, utilizing, or commercializing SaMD. The Food and Drug Administration (FDA) has already cleared a significant amount of SaMD, including more than 500 algorithms employing artificial intelligence (AI). Some notable examples include FDA-cleared SaMD such as wearable technology for remote patient monitoring; doctor prescribed video game treatment for children with ADHD; fully immersive virtual reality tools for both physical therapy and mental wellness; and end to end software that generates 3D printed models to better plan surgery and reduce operation time. With this rapid innovation comes a host of legal and regulatory considerations which will be discussed over the course of this SaMD Blog Series.

General Intellectual Property (IP) Considerations for SaMD

This edition will discuss the sophisticated IP strategies that can be used to protect innovations for the three categories of software for biomedical applications: SaMD, software in a medical device, and software used in the manufacture or maintenance of a medical device, including clinical trial collaboration and sponsored research agreements, filing patent applications, and pursuing other forms of protection, such as trade secrets.

Licensing and Contracting with Third Parties for SaMD

This edition will unpack engaging with third parties practically and comprehensively, whether in the context of (i) developing new SaMD or (ii) refining or testing existing SaMD. Data and IP can be effectively either owned or licensed, provided such licenses protect the future interests of the licensee. Such ownership and licensing are particularly important in the AI and machine learning space, which is one area of focus for this edition.

FDA Considerations for SaMD

This edition will explore how FDA is regulating SaMD, which will include a discussion of what constitutes a regulated device, legislative actions to spur innovation, and how FDA is approaching regulation of specific categories of SaMD such as clinical decision support software, general wellness applications, and other mobile medical devices. It will also examine the different regulatory pathways for SaMD and FDA’s current focus on Cybersecurity issues for software.

Health Care Regulatory and Reimbursement Considerations for SAMD

This edition will discuss the intersection of remote monitoring services and SaMD, prescription digital therapeutics and how they intersect with SaMD, licensure and distributor considerations associated with commercializing SaMD, and the growing trend to seek out device specific codes for SaMD.

Our hope is that this series will be a starting point for digital health companies, investors, innovators, and clinicians as each approaches development and use of SaMD as part of their business and clinical offerings.

© 2023 Foley & Lardner LLP

For more information on Healthcare, click here to visit the National Law Review.

 

Ankura CTIX FLASH Update – January 3, 2023

Malware Activity

Louisiana’s Largest Medical Complex Discloses Data Breach Associated to October Attack

On December 23rd, 2022, the Lake Charles Memorial Health System (LCMHS) began sending out notifications regarding a newly discovered data breach that is currently impacting approximately 270,000 patients. LCMHS is the largest medical complex in Lake Charles, Louisiana, which contains multiple hospitals and a primary care clinic. The organization discovered unusual activity on their network on October 21, 2022, and determined on October 25, 2022, that an unauthorized actor gained access to the organization’s network as well as “accessed or obtained certain files from [their] systems.” The LCMHS notice listed the following patient information as exposed: patient names, addresses, dates of birth, medical record or patient identification numbers, health insurance information, payment information, limited clinical information regarding received care, and Social Security numbers (SSNs) in limited instances. While LCMHS has yet to confirm the unauthorized actor responsible for the data breach, the Hive ransomware group listed the organization on their data leak site on November 15, 2022, as well as posted files allegedly exfiltrated after breaching the LCMHS network. The posted files contained “bills of materials, cards, contracts, medical info, papers, medical records, scans, residents, and more.” It is not unusual for Hive to claim responsibility for the associated attack as the threat group has previously targeted hospitals/healthcare organizations. CTIX analysts will continue to monitor the Hive ransomware group into 2023 and provide updates on the Lake Charles Memorial Health System data breach as necessary.

Threat Actor Activity

Kimsuky Threat Actors Target South Korean Policy Experts in New Campaign

Threat actors from the North Korean-backed Kimsuky group recently launched a phishing campaign targeting policy experts throughout South Korea. Kimsuky is a well-aged threat organization that has been in operation since 2013, primarily conducting cyber espionage and occasional financially motivated attacks. Aiming their attacks consistently at entities of South Korea, the group often targets academics, think tanks, and organizations relating to inter-Korea relations. In this recent campaign, Kimsuky threat actors distributed spear-phishing emails to several well-known South Korean policy experts. Within these emails, either an embedded website URL or an attachment was present, both executing malicious code to download malware to the compromised machine. One (1) tactic the threat actors utilized was distributing emails through hacked servers, masking the origin IP address(es). In total, of the 300 hacked servers, eighty-seven (87) of them were located throughout North Korea, with the others from around the globe. This type of social engineering attack is not new for the threat group as similar instances have occurred over the past decade. In January 2022, Kimsuky actors mimicked activities of researchers and think tanks in order to harvest intelligence from associated sources. CTIX continues to urge users to validate the integrity of email correspondence prior to visiting any embedded emails or downloading any attachments to lessen the risk of threat actor compromise.

Vulnerabilities

Netgear Patches Critical Vulnerability Leading to Arbitrary Code Execution

Network device manufacturer Netgear has just patched a high-severity vulnerability impacting multiple WiFi router models. The flaw, tracked as CVE-2022-48196, is described as a pre-authentication buffer overflow security vulnerability, which, if exploited, could allow threat actors to carry out a number of malicious activities. These activities include stealing sensitive information, creating Denial-of-Service (DoS) conditions, as well as downloading malware and executing arbitrary code. In past attacks, threat actors have utilized this type of vulnerability as an initial access vector by which they pivot to other parts of the network. Currently, there is very little technical information regarding the vulnerability and Netgear is temporarily withholding the details to allow as many of their users to update their vulnerable devices to the latest secure firmware. Netgear stated that this is a very low-complexity attack, meaning that unsophisticated attackers may be able to successfully exploit a device. CTIX analysts urge Netgear users with any of the vulnerable devices listed in Netgear’s advisory to patch their device immediately.

For more cybersecurity news, click here to visit the National Law Review.

Copyright © 2023 Ankura Consulting Group, LLC. All rights reserved.

Acronis Reports Ransomware Damages Will Exceed $30B by 2023

In its Mid-Year Cyberthreat Report published on August 24, 2022, cybersecurity firm Acronis reports that ransomware continues to plague businesses and governmental agencies, primarily through phishing campaigns.

According to the report over 600 malicious email campaigns were launched in the first half of 2022, with the goal of stealing credentials to launch ransomware attacks. Other attack vectors included vulnerabilities to cloud-based networks, targeting unpatched or software vulnerabilities, and cryptocurrency and decentralized finance systems.

According to Acronis, “ransomware is worsening, even more so than we predicted.” It estimates that global damages related to ransomware attacks will top $30 billion by 2023.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

5 Ways Legal Billing Software Increases Law Firm Revenue

In any business, keeping an eye on the bottom line is essential. For law firms, this can be a challenge, as there are many ways that money can be lost throughout a case. From inefficient time-tracking to inaccurate billing, there are many potential pitfalls. However, there is one solution that can help to increase law firm revenue: legal billing software. Choosing the right legal billing software is essential for maximizing its benefits. Consider time-tracking, billing accuracy, and customer service when evaluating different packages. Take a look at solutions built specifically for the legal industry to get the most out of your investment.

3 Common Ways Law Firms Lose Money

Time Tracking Issues

Many lawyers still rely on manual methods of tracking time by using spreadsheets or notepads. This antiquated approach to timekeeping is fraught with problems, including the potential for lost billable time and revenue, vulnerability to billing disputes, and high administrative costs.

With spreadsheet or notepad timekeeping, it is easy for lawyers to forget to record their time or lose track of their records, leading to lost billable hours and ultimately lost revenue for the firm. Manual timekeeping doubles the work since someone must manually enter all data into the system.

Manually keeping track of time leaves attorneys vulnerable to billing disputes. If a client questions a lawyer’s billing records, it can be difficult for the attorney to prove that the charges are accurate without detailed and meticulous records.

Invoicing Frequency

When it comes to law firm revenue, timely billing is everything. The longer you wait to send a bill, the longer you wait to get paid. Clients can’t pay a bill they haven’t received.

Not billing promptly sends the message to your client that prompt payment is not that important to you. Sending your invoices at the end of each month helps to avoid confusion or miscommunication and ensures that you and your clients are on the same page.

Billing Bottlenecks

Getting paid by clients is a significant problem for 61% of small law firms, according to 2019 research conducted by Thomson Reuters Legal Executive Institute. Law firms that don’t provide clients with various payment options, like online payments and accepting credit card payments, are more vulnerable to decreased law firm revenue due to not getting paid on time.

What is Legal Billing Software?

Legal billing software is downloadable or cloud-based that helps lawyers accurately track their time and invoice their clients. A robust software, like Bill4Time, will have the capability to track time, LEDES billing format, create custom invoices, accept online payments, and meet state bar regulations for billing. Law firms use dedicated legal billing software to improve their bottom line by improving invoicing processes and reducing inaccurate time management and billing bottlenecks.

What Billing Software do Law Firms Use?

Lawyers are always looking for ways to be more efficient and maximize their billable hours, so they prioritize cloud-based software solutions that have integrated time tracking, easy invoice options, and a client portal for online payments.

Law firms need industry-specific features like trust & IOLTA accounting which allows lawyers to reconcile trust accounts without a secondary application. They also look for software that provides LEDES billing, the most widely used e-billing standard for law firms invoicing corporate clients.

Why Does My Law Firm Need Legal Billing Software?

As a law firm, you know that time is money. Every minute spent on administrative tasks is a minute that could be spent on billable hours.

Automate the billing process

You, and your team, enter matter information as time-tracked once, and the software will take care of the rest, generating invoices and sending them out to clients on your behalf.

Manage your cash flow

You will always have a clear record of what has been billed and remains outstanding. You can responsibly allocate your resources to maximize your profits.

Track payments and expenses

Having this information organized and readily available can save you a great deal of time and hassle when it comes time to file taxes or apply for loans or lines of credit.

Billing automation will save you and your team considerable time each month, which can be spent growing your business.

How to Identify the Best Legal Billing Software

When choosing legal billing software, there are a few key factors to keep in mind.

Choosing a program compatible with your firm’s existing tech stack, including your law practice management software, is critical to success. Consider the cost, ease of use, and customer support options. Mobile access is also crucial for lawyers who can access their files on any device — iPhone, iPad, or Android.

And finally, security is always a top priority when it comes to sensitive legal information. Look for software that has industry-standard security protocols in place to protect your data.

By keeping these factors in mind, you’ll choose the best legal billing software for your needs.

Best Practices for Implementing a Legal Billing Software

There are many different types of legal billing software on the market, and it can be challenging to decide which one is right for your law firm.

When choosing new software for your law firm, there are a few important factors to remember:

  • You must ensure that the software is compatible with your existing legal practice management software.

  • Be sure to clearly understand your law firm’s billing policies before setting up the software to ensure everything is billed correctly.

  • The software should be easy to use, but you still need to take time to train your staff on how to use the new software.

  • You want a responsive and helpful company when you run into problems. If you run into issues, you can contact the support team.

A little upfront investment will pay off in the long run by preventing billing mistakes and increasing efficiency. Following these simple tips, you can set your law firm up for success with legal billing software.

Increase Law Firm Revenue with Legal Billing Software

Ultimately, you can improve your firm’s bottom line and the client experience by investing in legal billing software. Here are five ways a legal billing software can help you achieve success:

1 ) Accurate Time Tracking

Time entry and expense tracking are crucial for any organization looking to boost productivity and improve profitability. Yet many organizations struggle with manually tracking time and expenses, leading to inaccuracies and lost data. The software makes tracking time and expenses by the user, client, or project easy.

Move beyond the notepad, and start tracking your time with a cloud-based software solution.

Whether on the go or at the office, easy time entry makes it simple to run timers simultaneously, record multiple time entries on one screen, and automatically convert appointments into time entries. You’ll always know your organization’s productivity and financial status with daily and weekly time summaries.

2 ) Automated Billing

Automated billing and online payments can make it easier for clients to pay their invoices, resulting in quicker payment turnaround times. Clients tend to delay payment if they don’t understand the invoice. Prevent this from happening by providing detailed and informative invoices.

With legal billing software, you can set up invoice templates with custom settings such as your billing policy and payment links to pay online —  you can even perform batch invoice creation to save administrative time.

You can even extend your brand while increasing workflow efficiencies by personalizing and creating branded invoices with your logo.

3 ) Online Payments

Online payments are becoming increasingly popular, and customers expect businesses to offer this option. You may even miss out on potential customers if you don’t offer online payments.

Online payments allow firms to quickly and easily receive payments from clients. This can be done via credit card, debit card, or even PayPal. In addition, online payments are more secure than traditional methods, such as mailing a check.

4 ) Custom Reporting

Real-time data is essential for any growing business and managing cash flow. You’ll want a solution with comprehensive reporting to manage your firm’s financial performance better and identify trends to ensure success—review payment history, balance due, collections, expenses, productivity, and summary reports.

Legal billing software should be able to run user activity reports, so you can get detailed insights into how your team works, including efficiency, expense, schedule, and internal tracked time.  This data can help you identify areas of improvement so your team can work smarter, not harder.

5 ) Enhanced Client Experience

Client portals are a great way to provide your clients with more information and control over their billing. Empower your clients to log in, view their account balances, make payments, and see a detailed fee history.

Grow Your Law Firm Revenue with Legal Billing Software

The legal industry is one of the most competitive and rapidly-changing fields. To succeed, law firms must be cutting edge in all aspects of their business – including billing. With so much at stake, it’s no wonder that more and more law firms are turning to legal billing software to help them stay ahead of the competition.

This article was authored by Dan Bowman of Bill4Time.

For more business of law legal news, click here to visit the National Law Review.

©2006-2022, BILL4TIME. ALL RIGHTS RESERVED.

Leveraging Your Microsoft Assets in this Remote Access World

The COVID-19 pandemic has led to an enormous increase in remote work. Organizations without remote access capabilities have adapted and implemented new solutions, while organizations with existing solutions have been forced to evaluate new capacity requirements and scale their solutions accordingly. You may be surprised to learn that your existing Microsoft assets include functionalities for remote access, and you can get rid of redundant or more costly solutions. Your Microsoft subscription, license, operating system, software, service, etc. should all be reviewed in some capacity at this time.

“In recent years, Microsoft has made a multitude of investments and changes to its portfolio and offerings,” says Scott Riser, Director of Microsoft and Data Management Services at Plan B Technologies, Inc. (PBT). “Some of these changes are quickly noticed during renewals or annual reviews, such as Microsoft Server Operating Systems licensing. However, many changes have happened ‘in the background’ and could easily be missed by organizations,” Riser says. “Make sure you’re taking advantage of your existing Microsoft assets, and know your entitlements – especially now.”

Most of these changes go beyond the typical Microsoft portfolio of Office products and Operating Systems. Microsoft has placed significant focus in the areas of security, video and audio conferencing, VOIP, virtual desktop, artificial intelligence, and cloud computing. Many of these Microsoft assets, which are likely already in your organization, are gaining additional functionality for your remote workforce. This can be done with minimal management overhead and reduced implementation costs over competitive third parties. So how do you ensure that your organization is properly leveraging its current Microsoft assets?

Know What You Have

Leveraging Microsoft assets to the fullest starts with knowing what your organization has purchased, and to what it is entitled. This goes beyond Microsoft assets alone and a full inventory of software, services, and features within your environment should be performed sooner rather than later. This full evaluation serves three purposes. First is that of an internal audit to ensure your organization has the proper number of licenses for each product and to correct licensing infractions before you incur hefty true-up costs or additional licensing fees. The second purpose is educational, as it provides technical staff and administration an understanding of the entitlements each software or service provides. This is particularly valuable since Microsoft 365 cloud subscriptions now include licenses for some on-premise systems. The third purpose of this evaluation is to identify overlaps in features and functionality among products to lower costs, simplify management of the environment, and promote productivity.

Failure to perform a review of current entitlements can result in a significant overspend and an overly complicated environment that is more difficult to manage. For example, your organization could be using a third-party Multi-Factor Authentication (MFA) provider when an already purchased Microsoft subscription has MFA built in, or you may have purchased an MDM solution that overlaps with an existing entitlement to System Center and Windows Intune.

With information from these internal audits, organizations are better suited to make impactful decisions while controlling cost. Once your organization understands what it is entitled to within your existing environment, you must then determine situational awareness for future planning and sustainability. Items that should be included in planning for the future include (but are not limited to) security, management, user workflow and communication.

Secure the Environment

If your workforce is now remote, has your organizational data gone remote as well? Now that most organizations have been required to provide users with remote access, either through Virtual Desktop infrastructure (VDI), cloud-based applications or internet portals, the attack surface for exploitation by bad actors has never been larger. This puts organizations at greater risk of a security breach. Knowing this, Microsoft has invested billions of dollars to protect their product offerings and combat cyber criminals.

Microsoft now has a full portfolio of security offerings, and buildings full of teams dedicated to securing their services and platforms as well as assisting criminal investigations. User identity has become the new perimeter for data as organizations move to cloud-based technologies and a remote workforce. This has been the case for years as VPNs and firewalls have limited preventive impact when a bad actor has credentials to access them. Microsoft has been active in making user identity more secure with easily implemented tools and access policies while also integrating artificial intelligence and improved reporting. These products and features include Windows Hello, Azure Multifactor Authentication, Conditional Access, Credential Guard, and User Sign-in Risk Reporting/Alerting amongst others.

Identity of course is only one attack vector that can be exploited. Therefore, it is essential to secure end user devices and the infrastructure where data is located. Microsoft Defender and Advanced Threat Protection (ATP) is ideally suited to protect servers and end user devices when implemented properly. Plus, it’s included in many Microsoft 365 subscriptions.

“In the past, Defender has received a stigma of being unreliable and faulty,” says Scott Riser, “but Defender has since become one of the most reliable pieces of security software available today. Why? According to Microsoft, over 1 billion devices are currently running the Windows 10 operating system, providing trillions of telemetry data points to continuously improve all Microsoft security services. And as a result, Microsoft has the largest security footprint in the world.”

The data provided by Defender from these devices is reported to artificial intelligence algorithms as well as Microsoft security teams to patch security flaws and update anti-virus definitions at unparalleled levels in the industry. It is also important to note that Microsoft Server Operating systems utilize Defender and the Defender platform can be upgraded to Defender ATP software to enhance built-in capabilities and provide additional security for on-premise data.

With an increasingly remote workforce, many organizations have moved their data to Exchange Online, SharePoint Online, and OneDrive for Business. Microsoft has built-in security solutions for these platforms as well. Depending on the Microsoft subscription that you’ve purchased, Exchange Online Protection, Azure Information Protection, Microsoft Advanced Threat Protection and Azure Advanced Threat Protection, can all be utilized to secure data stored in these locations. Furthermore, Microsoft understands that some organizations require more control over their data and systems in Infrastructure as a Service solutions such as Azure and AWS. For this, a combination of Defender ATP and Azure Sentinel can provide real time analytics and automated responses for detected breaches based on custom workbooks in a pay-as-you-go model.

All these security measures protect against bad actors attempting to breach an organization’s data. This of course does not protect an organization from internal threats, such as disgruntled employees or the inevitable human error. Organizations must now secure data from exfiltration which is not as simple as preventing all data from leaving the organization. The problem is more nuanced. A full lockdown, though simpler, would prevent your organization from essential collaboration with its staff and clients. Failing to protect data internally may result in proprietary data inadvertently shared with a client, or competitor, or being lost entirely. In healthcare and financial services, it can result in a loss of personal identifiable data, or banking information, which carry hefty fines from regulatory bodies.

Microsoft Data Loss Prevention (DLP) is the solution to this issue. With DLP, custom policies can be defined by an organization to determine data that should not leave the organization. It can also remind a user to review data being sent as it could possibly be confidential. DLP continues to gain traction in Microsoft 365 settings as the need to protect cloud-based collaboration platforms such as Teams and OneDrive grows. DLP can also be implemented in some areas of on-premise infrastructure. Exchange has built-in DLP features that often go overlooked. Organizations tend to use Mimecast, Proofpoint, and other third-party vendors for these solutions while the built-in functionality remains unconfigured.

Device Management and Compliance

Another challenge of a remote workforce is the ability to maintain and manage devices, both corporate-owned and user-owned. Multiple organizations have made significant investments in System Center Configuration Manager (SCCM), only to find that policies and updates have not applied to end user devices unless they are on the network or connected via a VPN. Organizations can expand their SCCM environment to include cloud distribution and management points for devices that are not on-premise.  But this is not always an ideal solution as it requires additional infrastructure and configuration with SCCM. This has led to a rise in the use of Mobile Device Management and Mobile Application Management solutions such as Microsoft Intune. Through co-management, organizations can continue to utilize SCCM in conjunction with Intune for management of all devices regardless of corporate connectivity. This was further emphasized by the recent integration of the license offerings to provide Intune subscriptions for those with SCCM Client licensing and vice versa.

Collaboration and Communication

Securing and managing a remote work environment is important but ensuring users can communicate and collaborate on work that was previously performed in the office is one of, if not the biggest, challenges. Daily interactions between corporate users should be considered since the ability for face to face interaction through office meetings, business lunches, and other personal touches has significantly declined. These interactions are now being held through chat programs and conference calls. External communication is one of the primary reasons that Microsoft is still considered the industry leader for collaboration software with many companies utilizing the Microsoft Office suite.

A frequently overlooked solution included in your Microsoft 365 subscription is Microsoft Teams which provides instant messaging, document collaboration and audio/video teleconferencing. Furthermore, Microsoft Teams is integrated with and supported by other Microsoft products. It’s also governed by Advanced Threat Protection and Data Loss Prevention services to provide a more secure platform than its competitors with minimal (if any) additional investment. Microsoft Office can be customized based on the needs of the user and can easily be secured and managed when used in combination with other Microsoft offerings.

Getting the Results

Challenges continue to present themselves as users work remotely and organizations refine how they operate. With a vast majority of organizations utilizing Microsoft products in some way, it is important that entitlements are understood to reduce costs and complexities. Organizations can improve their return on investment (ROI) or make new investments once this is understood. Leveraging Microsoft service offerings can be optimized beyond the traditional use of Office products and Operating Systems, to provide a secure, managed, agile, and accessible environment for users regardless of their location. The result will be a streamlined, cost effective, collaborative environment that strengthens your organization’s bottom line.


© 2020 Plan B Technologies, Inc. All Rights Reserved.

For more on technological solutions for law firms and other industries, see the National Law Review Law Office Management section.

Hackers Eavesdrop and Obtain Sensitive Data of Users Through Home Smart Assistants

Although Amazon and Google respond to reports of vulnerabilities in popular home smart assistants Alexa and Google Home, hackers continually work hard to exploit any vulnerabilities to be able to listen to users’ every word to obtain sensitive information that can be used in future attacks.

Last week, it was reported by ZDNet that two security researchers at Security Research Labs (SRLabs) discovered that phishing and eavesdropping vectors are being used by hackers to “provide access to functions that developers can use to customize the commands to which a smart assistant responds, and the way the assistant replies.” The hackers can use the technology that Amazon and Google provides to app developers for the Alexa and Google Home products.

By putting certain commands into the back end of a normal Alexa/Google Home app, the attacker can silence the assistant for long periods of time, although the assistant is still active. After the silence, the attacker sends a phishing message, which makes the user believe had nothing to do with the app that they interacted with. The user is then asked for the Amazon/Google password and sends a fake message to the user that looks like it is from Amazon or Google. The user is then sent a message claiming to be from Amazon or Google and asking for the user’s password. Once the hacker has access to the home assistant, the hacker can eavesdrop on the user, keep the listening device active and record the users’ conversations. Obviously, when attackers eavesdrop on every word, even when it appears the device is turned off, they can obtain information that is highly personal and can be used malevolently in the future.

The manufacturers of the home smart assistants reiterate to users that the devices will never ask for their account password. Cyber hygiene for home assistants is no different than cyber hygiene with emails.


Copyright © 2019 Robinson & Cole LLP. All rights reserved.

For more hacking risk mitigation, see the National Law Review Communications, Media & Internet law page.