Tag Archives: security

‘If I’ve Told You Once, I’ve Told You A Billion Times… Cybersecurity Matters!” -Hackers Say To Lawyers

If a billion kids made a human tower, they would stand up past the moon. If you sat down to count from one to one billion, you would be counting for 95 years. If you found a goldfish bowl large enough hold a billion goldfish, it would be as big as a stadium. A billion seconds ago it was 1959. A few seconds ago, a billion passwords were stolen from Russian criminals leaving your firm, its clients and employees, at risk.

An exaggeration, you think? Hardly.

“A lot of firms have been hacked, and like most entities that are hacked, they don’t know that for some period of time,” says Vincent I. Polley, lawyer and co-author of recent book for the American Bar Association on cybersecurity.

“Sometimes, it may not be discovered for a minute or months and even years.”

Unfortunately, when it’s late and you still have a few hours work to do, it’s easier to pack up your laptop, save some client information on a portable flash drive, and then head home. Nobody wants to prioritize cybersecurity over work-life balance.

The problem is, hackers these days have become more and more sophisticated. And your efforts to make working from home more efficient have, instead, made stealing confidential and private information more prevalent.

In fact, cybersecurity concerns within law firms has become so important to high-profile, high-profit clients, like big banks, have started to withdraw business from firms that demonstrate relaxed regard for security measures.

“Wall Street banks are pressing outside law firms to demonstrate that their computer systems are employing top-tier technologies to detect and deter attacks from hackers bent on getting their hands on corporate secrets either for their own use or sale to others, said people briefed on the matter who spoke on the condition of anonymity.”

“Some financial institutions are asking law firms to fill out lengthy 60-page questionnaires detailing their cybersecurity measures, while others are doing on-site inspections,” writes Matthew Goldstein for the New York Times online.

Other corporate clients, the same article reports, are requesting that law firms stop putting files on portable drives altogether, emailing them on non-secure devises, such as smartphones or tablets, and sharing servers with offices in notoriously cyber-insecure countries, such as China and Russia.

Today, we realize how important these measures may be in securing your future as CNN reports that Russian criminals stole 1.2 billion passwords.

Hold Security founder Alex Holden told CNNMoney that the treasure trove includes credentials gathered from over 420,000 websites, both smaller sites as well as “household names.”

Thus, chances are high that your firms assets—or those of its employees—are among the exploited.

Some think that pressure from clients will help law firms get with the digital times and clean up their cybersecurity act. Daniel B. Garrie, executive managing partner with Law & Forensics, a computer security consulting firm that specializes in working with law firms. He thinks, “When people say, ‘We won’t pay you money because your security stinks,’ that carries weight.”

Law firms, however, are notoriously slow in upgrading their technological tools.

Do you agree with Garrie, are law firms finally paying attention?

One last lesson in one billion: If we wanted to make a book with a billion dollar signs, printed 1000 per page and with pages printed on both sides, the book would be 500,000 pages long. How many billions of dollars are you willing to risk (after being told a billion times) before your firm upgrades its cybersercurity systems?

To learn more, get C4CM’s webinar “Mitigating Cyber Risk: Strategies for Legal Counsel to Reduce Exposure and Avoid a Data Breach Devastation,” available on CD.

This comprehensive webinar will help you to mitigate risk by fine tuning or putting into place key procedures and policies for cyber protection. You will also learn what to do once a data breach is revealed.

  • Data breach response tactics and notification obligations
  • Practical and essential first steps to take if a breach occurs
  • What to include in your Incident Response Plan
  • Securities and Exchange Commission (SEC) disclosure obligations related to cyber risks and data breaches
  • How cyber-insurance coverage acts a risk mitigation tool, and what to look for in your policy
  • Key individuals that your organization should be developing relationships with and why
  • Practical protocols for reviewing and including cyber clauses in vendor and client contracts
  • Much more…

Leave a comment

Filed under Uncategorized

Court Case To Decide Future Of FTC Regulation Of Firm Cyber Security Systems

America, in the 1800s, was filled with trusts. “Trusts” referred to giant businesses that controlled the lay of the land.

Think about the major economic drivers in the Wild West—railroads, oil steel—or other commodities—sugar, for example—and you’ll likely find a trust behind it. U.S. Steel and Standard Oil once ruled the supply, controlled the price, and generally monopolized the market in American in the nineteenth century.

The rich seemed only to get richer, which is why President Theodore Roosevelt sought to break up these trusts through legal action.

Teddy, with the help of Congress, soon passed The Sherman Act in 1890, which became the country’s oldest anti-trust law. In 1914, another anti-trust bill, the Clayton Act, was passed by Congress under President Woodrow Wilson. With it came the Federal Trade Commission, or FTC.

The FTC was an agency tasked to enforce anti-trust laws and regulate and oversee business practice to ensure fair and equitable competition.

More recently, the FTC started to work in conjunction with the Department of Justice to promote consumer protection and anti-competitive business practice.

The FTC’s professed mission, specifically, is to “prevent business practices that are anticompetitive or deceptive or unfair to consumers; to enhance informed consumer choice and public understanding of the competitive process; and to accomplish this without unduly burdening legitimate business activity.”

The key players in trust regulation in Progressivist America could never envision the lack of trust consumers face today with the evolution of e-commerce. Today, the FTC’s mission of protection is being challenged on its home turf—in court.

Adding to the U.S.’s long history of anti-trust regulation, a case pending in the federal court for the District of New Jersey will decide whether or not the FTC has the right to oversee and regulate data security services provided to consumers by private firms.

Hotel conglomerate, Wyndham Worldwide Corporation, is challenging the authority of the FTC to enforce action against Wyndham and several of its subsidiary companies. The FTC’s action alleges Wyndham failed to secure the data and privacy of its customer accounts after a hacking incident claimed more than $10.6 million from Wyndham’s customers via fraudulent charges and the loss of information belonging to 500,000 individuals, according to the Westlaw Insider.

Deciding whether or not the FTC’s authority extends to oversight and regulation of the operations and other practices of private companies will definitely change the way firms can and will business. Audits to ensure firms have incorporated sufficient security measures are on the horizon, and fines for insufficient security measures would, then, be imminent.

And, although consumer protection and privacy concerns should be considered paramount to businesses, to what extent should the government be privy to the same concerns and information? Also, to what extent are businesses liable for implementing state-of-the-art cyber-protection software in the eyes of the law?

These days, breaches of online security—from cloud computing espionage to electronic spam to broken passwords (despite the alphanumeric complexity)—are common place.

The Wyndham case should certainly prompt law firms and the clients they represent to tighten those security belts before driving down the information superhighway—not just because it’s good sense and safe, but because it may soon be the law.

In our modern world, the Wyndham case serves as a gentle reminder for firms to be wiser about their computer security hardware and software, but also for governments to implement constitutional measures to find the source of this malware without violating the same privacy they seek to protect.

For more information about how to protect your firm, read “Cyber Attacks: Why Your Firm Is At Risk & How To Prevent Them.”

-WB

Read more about the history of the FTC in a fact sheet, here.

Leave a comment

Filed under Uncategorized

Law Firm Security In The Age Of Technology–Human Error & Some Things That Never Change…

Security is on the minds of Americans these days. And, it seems, at least one law firm has developed paranoia.

King & Spalding announced to its employees this week that private e-mail will no longer be accessible at work. And, in the event firm network blocking measures are inadequate, employees have been advice not to open personal email accounts from a firm computer, according to a King & Spalding e-mail released by Above The Law Blog.

“The firm’s internal security experts, as well as our outside security experts, have advised us that accessing Personal Email Accounts from firm computers creates a significant security risk,” the widely-circulated e-mail states.

“The firm has installed a wireless network called ‘ksmobile’ in each office. This wireless network is reserved for K&S personnel (not clients or visitors who should be directed to the ksguest network), is a direct route to the Internet, and is appropriately sized to accommodate the many personal devices that are being used by K&S personnel.”

So, although checking personal e-mail on firm computers is prohibited, responsible and irresponsible Internet browsing is permitted on mobile devises, like smartphones. With network firewalls and digital security measures improving day-to-day, some wonder if this announcement isn’t a bit technologically too late.

However, what any number of firewalls, complex passwords, and e-mail prohibitions can’t solve is human idiocy.

Seriously.

“There’s no device known to mankind that will prevent people from being idiots,” Mark Rasch, director of network security and privacy consulting for Falls Church, Virginia-based Computer Sciences Corp. (CSC), said to Bloomberg.

Rasch is responding to an experiment conducted by The U.S. Department of Homeland Security where, in order to determine how easy it was for hackers to manipulate employees or gain access to computer systems, Homeland Security employees secretly dropped computer discs and USB thumb drives in the parking lots of government buildings and private contractors.

Not only did workers pick up those devises, but 60 percent of them plugged in the USB drives and inserted the discs into their office computers. If the devise displayed an official logo, 90 percent of workers installed the drive.

It turns out, curiosity does kill the cat—or, rather, scrambles the cat’s computer screen, steals its social security number, and swipes its confidential data through viruses, clandestine computer programming, and general digital mayhem, describes The Center For Competitive Management (C4CM)’s law blog.

“The test showed something computer security experts have long known: Humans are the weak link in the fight to secure networks against sophisticated hackers,” reports Bloomberg.

And, because 92 percent of lawyers agreed that email was the primary function of their smartphone in an ABA Legal Technology Resource Center survey, perhaps King & Spalding’s reaction isn’t as misguided as first believed. Accessing personal e-mails from a smartphone, according to participants, was more important than making a call, which goes to show how frequently lawyers rely on electronic communication, concludes an article about attorney mobile phone use.

Coupled with curiosity, perhaps law firms should consider even more stringent Internet policies.

It’s surprising how many liabilities and issues accompany Internet access in the office. And, smartphones open up an additional can of worms for curious cats.

Write a smartphone policy that addresses:

  • Handing data breeches
  • Use of company phones outside work
  • Wage and hour compliance
  • Text, talk driving issues
  • Text harassment
  • GPS tracking
  • Lost devices
  • Etiquette
  • Employee productivity
  • Photography in and out of the office

If you’re unsure how to draft a policy, including what kind of language and tone to use, take C4CM’s audio conference on crafting a bulletproof workplace policy for smartphones.

In the end, it’s important to write and implement a concrete and clear policy regarding Internet access, e-mail, and mobile phones. It’s important to highlight the security risks and repercussions for both employees and clients.

Make sure your employees know how to safely navigate the world wide web, only then will law firm managers have piece of mind when engaging in legal technology and software.

Remember, the “smart” in smartphone refers to requirements of the user, not the gadget.

-WB

Leave a comment

Filed under Uncategorized

Are Law Firms In The Eye Of The Storm For CyberSecurity?

Last year, a Canadian company was investigating a possible takeover of a Chinese state-owned chemical and fertilizer group. Until, that is, several large Canadian law firms involved in the takeover were attacked by hackers linked to computers in China, reports the Wall Street Journal.

The extent of the breach was never fully understood. Nor were the culprits behind the cybersecurity incident identified.

In this case, computer infiltration was not the only thing to fly under the radar—the fact that law firms are being targeted for their valuable and confidential information also seems to be a tight-lipped secret among governments and corporations.

Will your law firm be next?

“For hackers bent on insider trading, targets could include lawyers at top law firms that handle mergers and acquisitions, such as Cravath, Swaine & Moore LLP, Skadden, Arps, Slate, Meagher & Flom LLP or Davis Polk & Wardwell LLP,” said Mr. Friedberg, a former federal prosecutor, to the WSJ.

“Half the time people post their cell numbers on their v-card,” Friedberg continued.

Lawyers live by their mobile phones, laptop computers, and portable harddrives full of sensitive client information. Passwords, firewalls, and common sense may not be strong enough to resist a talented hacker.

So, if your law firm is the type to post downloadable business cards on its website, it’s time to reevaluate your cybersecurity measures.

Still think this sounds more like a Tom Cruise movie than a law firm reality?

“We’ve seen specific documents from law firms on specific deals being exfiltrated from cyberattacks,” the FBI’s Mary Galligan said in April at a law-firm conference in New York.

The perpetrators “know exactly what they are looking for and, as a result of that, there is some undercutting of bids in those deals.”

Law firms have been targets for awhile now, but they’ve managed to stay out of the media.

“All of this is underreported,” said Mr. Henry, who left the FBI this year to become president of CrowdStrike Inc., a security start-up that investigates breaches, to the WSJ.

“Law firms have incredibly valuable and sensitive information, and the Internet just provides a whole other methodology through which the information can be accessed and pilfered.”

So, how do you become the next victim?

Forbes explains that there are many ways to open up your business network to a possible hack. Below are just a few:

  1. Simple Passwords. Isn’t it a pain to assign a different 10-digit password to each computer or program login? Absolutely. But, not more painful than having to report to your firm manager that you lost a million-dollar case because confidential material was leaked from your Blackberry—locked with the password abc123. Complicated, frequently-changed passwords are even more important for the Admin login. Don’t use any of these, either.
  2. Failure to Educate. It’s important to teach your employees and law firm associates the proper protocol, not just in creating passwords, but also in handling day-to-day sensitive documents. Develop a policy and protocol for preventing cyberbreaches and for mitigating the ones that still get through.
  3. Allowing Unrestricted Access to All Employees. Talk to your IT Department and decide, does everybody need access to everything? There’s a reason why, for example, the government has security clearances.
  4. Lack of Monitoring. Don’t wait for a breach to happen before you start to monitor your network. Most attacks don’t happen instantly. Instead, systems are infiltrated over time. Hire IT employees who understand how to identify the introduction—slowly but surely—of malware and discrepancies.

Although it may seem like a lot of time and manpower, installing proper cybersecurity equipment now can prevent expensive patchwork on bigger breaches in the future.

Talk of cybersecurity has died down, in general. Unfortunately, reports on the number of computer breaches at law firms are still kept close to the vest. After all, nobody can afford to lose clients during a recession. For you, and your firm, all may seem quiet and calm.

Therefore, you may not get solid proof that the industry of law is under particular attack until it’s too late. The field of law may be, at present, in the eye of the storm for computer hacking.

The question is, how long are you going wait for the damage to be done?

-WB

Leave a comment

Filed under Uncategorized

Cyber Attacks: Why Your Firm Is At Risk & How To Prevent Them

You’ve heard of cyberwarfare against nations, but what about cyber attacks against law firms?

It’s not as obscure as it sounds. In fact, it’s not obscure at all.

A quick poll of law firm professionals at The Standing Committee on Law and National Security sponsored-program, “Whither Cyberspace: Security, Privacy Rights, the Law and the Private Sector,” revealed 100 percent of professionals believed their firm has been, at one time, victim to a cyber attack.

Unfortunately, Stewart Baker, partner at Steptoe & Johnson and panelist at the program at the American Bar Association’s Midyear Meeting in New Orleans, said it was difficult to measure the occurrences of cyber attacks within the law industry. 

Corporations generally withhold information about their computer systems when and if they have been compromised because most businesses are either embarrassed or fear other companies will have a competitive advantage, said Baker (via the ABA).

Nevertheless, “Law firms are a prime target for cyber attacks,” confirmed Baker (via the ABA).

Statistics regarding the frequency of cyber attacks may be limited, but action to prevent them should not. Law firms must take steps to protect the confidentiality of their clients and cases.

Harriet P. Pearson, vice president, security counsel and chief privacy officer at IBM Corp., suggested three starting points for your law firm (via the ABA):

  1. Risk Awareness: “Isolate your crown jewels or most sensitive matters and devote resources to protect them.”
  2. Ask yourself, “Do you have the right approach?  What is your plan if your system has been compromised?” 
  3. What is your plan of action to respond?

The last point is especially important for the modern law firm.

Ensure your IT department has a plan of action to respond to potential cyber attacks. How will you shut down the system and restart securely?

How should your associates continue to operate? How and when will you inform clients?

Law firms have an ethical (if not legal) duty to inform their clients of any potential compromise of private information. However, due to the sensitive nature of such an announcement, make a plan of action specifically for name partners.

The name partners should call each client personally. They should assure the client that all security measures have been restored successfully. Be as clear and concise about the cyber attack as possible.

Quick action will lead to the best possible outcome. As will honesty and open dialogue.

Panelists agreed that lawyers need to do all they can to help their corporate clients understand the risks (via the ABA).

Before any incident, lawyers should provide clients with tools to understand the risks of a cyber attack, including:

  1. The book, Sailing in Dangerous Waters
  2. A Study of Sony’s $1.2 billion loss and the cost of other data breaches at the Ponemon Institute
  3. Securities and Exchange Commission (new disclosure requirements)

 Cyber attacks not only make a firm’s finances vulnerable, but their reputation as well. Although costly, finances can be recuperated via increased casework, time, or insurance. Howeer, reputation is harder—if not impossible—to completely renew.

 
-WB 

Leave a comment

Filed under Uncategorized

How To Attract More Small-Business Clients

Small businesses—particularly in a recession—encounter a variety of financial and operational risks. As an attorney representing many small businesses, you can help current clients mitigate these risks, and ameliorate your working relationship with them at the same time.

With a few, simple changes, your firm can also attract new small-business clients. Here’s how.

First, understand the risks small businesses face.

For example, a 2010 study conducted by the Association of Certified Fraud Examiners revealed that small businesses are victimized at higher rates than large businesses (via the Orlando Sentinel).

The study found that 30 percent of business fraud occurred in companies with 100 or less employees, and more than half occurred in businesses with fewer than 1,000 employees (via the Orlando Sentinel).

Small businesses are usually in denial about the extent of employee extortion or embezzlement, and these companies often can’t afford the measures to prevent it.

In addition to employee fraud, small businesses also face an increased risk of lack of liquidity, property theft, and costly litigation.

Small companies wait until the final hour to inform their lawyers of possible trouble—in part, to save on attorneys’ fees, and in part because they believe issues can be handled in-house.

However, if informed earlier, firms are more likely to be able to successfully control the damage done to a small-business client at risk.

So, to encourage full and early disclosure on the part of its clients, firms should circulate a monthly newsletter that includes pertinent data and economic developments within relevant industries, as well as basic advice regarding the use of technology, security measures, and federal requirements.

Small businesses—inundated with work during hard economic times—sometimes need a friendly reminder about legal basics, such as the restrictions on asking certain questions during the hiring process, employee contracts, or social media pitfalls.

With so many new federal laws and changing state regulations, lawyers, themselves, will benefit from conducting research for such a newsletter. With minimal effort, a firm can both educate its associates and also aid its small-business clients in preventing costly litigation.

Initially, offer the newsletter as a free entry on your firm’s blog site. Then, once your newsletter has received adequate blogosphere attention, provide a more in-depth version exclusively to your clients.

The public version will attract new clients who appreciate your firm’s expertise and thoroughness.

The appeal of receiving a more detailed version will provide additional incentive for small businesses to sign with your firm.

Finally, your current clients will see this newsletter as a value-add and a gesture of good faith on the part of your firm—essential for when it comes down to renewing that attorney-client agreement.

In the end, the more forthcoming you are as a firm, the more likely you will be able to attract and retain clients.

-WB

Leave a comment

Filed under Uncategorized

Curiosity, Killing The Cat And Your Clients’ Confidentiality: How To Protect Your Office From Hackers

Be careful what you find on the floor of parking garages.

Actually, you probably already knew that. But, according to a test completed this year by The U.S. Department of Homeland Security, a surprising number of government contractors and employees do not.

In order to determine how easy it was for hackers to manipulate employees or gain access to computer systems, The U.S. Department of Homeland Security secretly dropped computer discs and USB thumb drives in the parking lots of government buildings and private contractors.

Not only did workers pick up those devises, but 60 percent of them plugged in the USB drives and inserted the discs into their office computers. If the devise displayed an official logo, 90 percent of workers installed the drive.

It turns out, curiosity does kill the cat—or, rather, scrambles the cat’s computer screen, steals its social security number, and swipes its confidential data through viruses, clandestine computer programming, and general digital mayhem.

“There’s no device known to mankind that will prevent people from being idiots,” Mark Rasch, director of network security and privacy consulting for Falls Church, Virginia-based Computer Sciences Corp. (CSC), said to Bloomberg.

Unofficially, The U.S. Department of Homeland Security test proves that cyber crimes are one part vulnerability and one part idiocy.

“The test showed something computer security experts have long known: Humans are the weak link in the fight to secure networks against sophisticated hackers,” reports Bloomberg.

“In real-life intrusions, executives of EMC Corp.’s RSA Security, Intel Corp. (INTC) and Google Inc. were targeted with e-mails with traps set in the links. And employees unknowingly post vital information on Facebook or Twitter.”

The hacking of confidential data is no minor problem. Security breaches are prevalent, and the cost of all forms of online theft amounts to as much as $1 trillion, according to McAfee Inc., the Santa Clara, California-based computer security company via Bloomberg.

Law offices are certainly not immune to corporate espionage, online attacks, or breaches of confidentiality, so what should firms do to protect their private information?

“Rule No. 1 is, don’t open suspicious links,” Rasch said to Bloomberg. “Rule No. 2 is, see Rule No. 1. Rule No. 3 is, see Rules 1 and 2.”

In all seriousness, it is vital to obey your instincts. If it something appears amiss—like, say, opening suspicious emails, retrieving lost devises and plugging them in, or obeying a prompt to disable your computer virus software–it probably is.

-WB

Leave a comment

Filed under Uncategorized