Malware is no joking matter. It may be coming for you and your law firm when you least expect it.
How could malware possibly affect my law firm?
Imagine this scenario for a moment. An email comes in with the subject line Reply Brief due. The sender isn’t on the counsel list, but your reply brief is due. You open the email and it reads: “Counselor: Please open the attached document for the changes to our brief.” You open the document, and that’s when it happens. It was at that moment that you unknowingly released malware through the veins of the law firm, like a fast-moving disease.
It’s unknown at first, but the malware slowly attaches itself to the firm’s infrastructure like a parasite preys on its host. It takes some time, but soon names, social security numbers, credit cards, and scores of PHI-, PPI-, and HIPPA-related materials are now owned by the individuals that originally sent that innocuous and mildly convincing email with the attachment. In fact, it was that attachment that released the code. You never saw it coming, but it hit you, your firm, and your clients like a ton of bricks.
If you think this story is just fictitious and just good for television, I’ve got some really bad news. This is how it happens. This is how hackers walk their malware right into your organization. Think your firm is immune to these lethal attacks? Think again.
It’s examples like these that lead to notable headlines for massive security breaches such as Sony, Target, Home Depot, Dairy Queen, and even Goodwill among so many others. Malware attacks are business’s problem, large or small.
Malware on the rise
A study last year indicated that in March 2016, 93 percent of all phishing e-mails contains ransomware. This was a 789 percent increase over the previous quarter in 2015. The US Computer Emergency Response Team (US-CERT) issued a publication to help businesses and consumers avoid e-mail traps like this.
Not surprisingly, in ILTA’s 2016 Tech Survey, technology issues or annoyances within respondent’s law firm included security compliance, spyware/malware/anti-virus. The survey saw sharp increases in respondents’ concerns around phishing and social engineering attempts. There was also an increase in concerns over malware, viruses and zero-day threats.
Microsoft even stated in their TechNet blog that most vulnerabilities can be defended against with up-to-date patching of both Windows and anti-virus software. When customers encounter problems with their IT landscape, “the most common issue was that almost every customer was running out-of-date software. This included OS patches, Exchange patches, Outlook client patches, drivers, and firmware.”
No one is immune to malware or viruses
Do you think that your law firm or company may be immune to malware or ransomware? Do you think no one would be interested in the data? Think again. Jim Lewis, a Senior Fellow at the Center for Strategic and International Studies has said that the “dark secret is there is no such thing as a secure unclassified network… if there’s something of interest, you should assume you’ve been penetrated.” Even Patrick Fallon, Jr., FBI assistant special agent confirms that “law firms are a rich target… they don’t have the capabilities and the resources to protect themselves… it’s a vulnerability that the bad guys… are exploiting.” Yet, despite these warnings, a study shows that 72 percent of law firms haven’t even assessed the cost of an internal data breach and 62 percent of firms haven’t calculated lost revenue.”
So what’s the good news?
The good news is that all of this is easily preventable. Performing network assessments and health checks of your organization’s environment is a perfect first step. Knowing if your anti-virus, Java, and Windows OS was patched is a great step in the right direction. And be sure to know when the last time your organization’s policies involving e-mail, security, compliance, patch management, and password management (to name a few) were updated. This is even more helpful.
How can we protect our law firm?
Leverage the expertise of service providers to run these audits which will be both insightful and very revealing. Having a technology partner that understands your organization’s business challenges tied to your IT landscape is critical. The right partner will help with the creation and ongoing upkeep of essential policies tied to information governance. A true technology partner should serve as an extension of your organization. They are always there to remediate and be proactive. The next time an e-mail with hidden malware comes across that lawyer’s desk, your company and your client’s data is going to be protected.