This article was originally written and posted on law.com by Victoria Hudgins on December 27, 2018.
With 2019 just a few days away, lawyers and their firms should make a few cybersecurity-specific New Year’s resolutions.
From allowing “security exceptions” for high-ranking attorneys to lawyers sending unencrypted confidential documents, cybersecurity professionals revealed the common cybersecurity missteps law firms should commit to fixing. Here’s the top five:
Experian data breach resolution group and consumer protection vice president Michael Bruemmer said lawyers can fall victim to phone scams, where cyber attackers call an unsuspecting attorney and use their simple answer to a seemingly innocuous question as a “voice print” to later authorize money transfers or access client information.
Bruemmer said the phone scams are in higher use during the holidays and after natural disasters.
“Hackers are using anything they can, and phone scams are being used right now, because phone numbers are one of the easiest data [points] to obtain,” Bruemmer explained.
PeopleSec CEO Joshua Crumbaugh said the hierarchy of law firms allows high-ranking lawyers to bypass firmwide requirements for tougher passwords, leading to weaker passwords protecting sensitive information.
Such preferential treatment, Crumbaugh added, could also lead to passwords and access being given over the phone to bad actors imitating a partner making demands to lower-ranking staff.
Encryption Versus Convenience
David Lipscomb, an IT professional and president of BDPA Philadelphia, the Philadelphia chapter of an organization that seeks to connect diverse IT professionals to development programs, said he sees some small law firms not using systems to automatically encrypt emails.
Lipscomb said it’s highly recommended that confidential information be sent encrypted, although not all lawyers follow such practice.
Charles Carmakal of cybersecurity enterprise FireEye Inc. said law firms typically reuse passwords. He recommended lawyers and law firms implement multifactor authentication and use different passwords for every device and software.
For Nadav Arbel, founder and CEO of CyberHat, protecting and monitoring a law firm’s networks are key in fending off cybersecurity exploitation.
“Depending on where the data is stored, backed up or copied, it can be difficult to tell who has access to it,” Arbel wrote in an email. “Ensuring a ‘network aware’ IT environment, in which the security of the network is being consistently monitored for breaches … is the best method for protecting law firms and their clientele from hackers looking to exploit personal information.”