Humans Make Law Firms Vulnerable to Cyber Attacks, Lawyer Says

By Helen Gunnarsson

Hackers are waging “open war” against businesses and individuals in the U.S., and “the humans in your law firm are the weakest link,” according to a speaker at the 16th Annual Legal Malpractice and Risk Management Conference March 1 in Chicago. Steven M. Puiszis, partner at Hinshaw & Culbertson LLP in Chicago, gave detailed tips on how law firms can best protect client data from unwarranted intrusion, in his presentation “30 Security Measures in 30 Minutes.” Below are some highlights.

•  Make sure the software on all your firm devices is the most up-to-date version. Manufacturers try to close vulnerabilities in each new software version, Puiszis said. It’s particularly important to get the latest version of anti-malware protection. “A million new varieties of malware are rolled out each day. They’re constantly changing to try to evade your malware protection.”

•  Replace or disable outdated hardware. “Disable or eliminate any unused equipment or software that you don’t need,” Puiszis said. “Several of our lawyers can’t get access to [software] updates because their phones are too old. I have to tell them ‘No access’ unless they buy a new phone.” If the firm budget won’t permit replacing outdated devices, “wrap as much firewall protection around them” as possible.

•  “Patch Tuesday” should be on every law firm IT department manager’s calendar. To address software vulnerabilities and prevent hackers from exploiting them, Puiszis told the audience, all major software manufacturers release patches on the second Tuesday of every month, known as “Patch Tuesday.” Make sure your IT department downloads, tests, and applies them promptly, Puiszis said. Hackers also monitor patch releases and “will scan your network” to find any vulnerabilities, he said, but “if your network and servers are properly patched and up to date, up to ninety percent of exploit kits will be rendered ineffective.”

•  No jailbreaking. Puiszis said Hinshaw members and employees are prohibited from jailbreaking their devices, which involves tampering with the operating system to enable activities that a device’s built-in security systems would otherwise not permit. “It’s tough love,” but it’s better than needing to tell regulators and clients that the firm suffered a breach, he said.

•  Strong passwords are essential to deterring hackers and protecting data. Puiszis said Hinshaw recently switched from 8- to 12-character passwords, which “exponentially” lengthens the time required to crack them. And staff with administrator privileges should use even longer passwords, he said.

•  Make passwords complex. “Don’t use dictionary words” or commonly used passwords such as “password123,” he said. “Think passphrases,” which, he noted, are difficult for hackers to crack but need not be difficult for the user to remember. He offered “Ihatemyex” as an example of an easily remembered passphrase that might include capitalizations and special characters such as an exclamation point.

•  Passwords and passphrases should be unique. Never reuse a password for different applications or websites, and “don’t store them in plain text on your computer,” he warned, “because a hacker will find it if he gets into your computer.” A better alternative, he said, is a password manager.

•  “Lock out network access after failed login attempts.” Make sure, Puiszis said, that your network locks down access after three to five failed login attempts. “Hackers will try to guess passwords” with tools that may be more “brute force” than “sophistication,” meaning they will try “hundreds of passwords per second.”

•  Use dual factor authentication. Even if a hacker has obtained someone’s username and password, Puiszis said, he may not have access to that person’s second authentication factor, such as an authentication token or smartphone app.

•  Encrypt all portable devices. Lost or stolen mobile devices, Puiszis said, account for a sizable percentage of law firm data breaches. In addition to using strong passwords, he recommended encrypting everything possible, including laptops, tablets, smartphones, and flash drives, and even the firm’s server, if possible. Most states’ data breach notification laws, he said, contain safe harbors that may exempt encrypted devices from notification requirements. His firm has also purchased and installed security software that enables remote data wiping, so “if a lawyer calls and says, ‘I left my laptop in a taxicab in Mexico,’ we can remotely wipe it” as soon as it’s connected to the internet.

•  Train staff early and often. Some lawyers who are technologically proficient may see nothing wrong with “workaround security,” such as jailbreaking devices and storing documents using the same free cloud services they used as students, resulting in violations of outside counsel guidelines. Those lawyers need training in security as much as lawyers who still remain unfamiliar with technological basics, Puiszis said.

Puiszis said he sends out a firm email dedicated to electronic security issues twice a week. “I try to personalize the message and say, ‘If you learn this, you will be able to protect yourself, your family and loved ones, AND your firm.’”

•  Don’t click on links. Puiszis said studies have shown that nearly a quarter of all employees will respond to phishing emails. One of the most popular current phishing schemes—and one of the biggest risks for law firms and others—is a link that, if clicked, will download ransomware, malware that encrypts all data on a computer or firm network until the user enters a key, obtainable from the hacker for a hefty advance fee—payable in untraceable Bitcoin.

Puiszis gave the audience three rules for addressing ransomware risk: First, “if you get an email from someone you don’t know, no matter how harmless or innocent it seems, ignore it.” He said individuals in his firm have received emails that purported to originate from third-year law students and have resumes attached that turned out to be fraudulent. Second, “even if you think you know [the sender], if there is an attachment you weren’t expecting to receive, don’t click on it. Pick up the phone.” Third, “if you forget rules 1 and 2, and you click on something, and a box opens up,” close it immediately to curtail the installation of malicious software.

•  Back up your data. Backing up data daily and testing the backups to make sure the data is accessible is essential. “There have been law firms who thought they’d backed up their information” but found they couldn’t recreate their files from their backups after a breach, he said.

•  “Public Wi-Fi is dangerous.” “Any time you connect to Wi-Fi without a password, you are at risk,” Puiszis told the audience. He pointed to a “Pineapple” device (see 29 Law. Man. Prof. Conduct 555) on the speaker table and told the audience, “Once we turn it on, we can see what anyone is doing, not only in this room” but in the rest of the conference hotel, for those logged onto public Wi-Fi. He recommended training employees about that risk and providing a virtual private network (VPN) for them to use to connect with the firm whenever they are out and about.

•  Limit administrative access to firm equipment. When a hacker gains access to a firm device with administrator rights, Puiszis said, he will be able to compromise the firm’s network. Unvetted applications downloaded by firm employees or members with administrator rights may bring in malware or give outsiders access to firm data. “By taking away administrative rights in the equipment your lawyers and staff are using, you make it more difficult for hackers.”

•  Use web filtering tools to block access to malicious websites. Puiszis said even a website with seemingly innocuous content may lack strong security and can have been overtaken by hackers, who then can use the site to download malware onto viewers’ computers.

•  “Update, evaluate, and, if possible, remove browser plugins.” Puiszis identified Java and Flash as common sources of “drive-by downloads” of malware. “You could go to a safe website, but the ads on it may have malware.” Clicking on an infected ad may launch malware onto your computer, he said.

•  Use intrusion detection and data loss prevention tools. Consider purchasing software to detect unusual increases in traffic accessing a firm’s system or downloading data. “Anytime someone downloads more than 50 documents, I get a report,” Puiszis said.

To contact the editor responsible for this story: S. Ethan Bowers at sbowers@bna.com

Copyright © 2017 American Bar Association and The Bureau of National Affairs, Inc. All Rights Reserved.