In Hollywood, central casting does a great job of selecting actors to portray villains. You know the type: Dark, shadowy, unshaven; surrounded by henchmen, and armed with a devious plot to create physical, emotional, or financial harm on some unwilling protagonist. In establishing these villains, directors do a great job of telling us why the "bad guys" do what they do; what motivates them; and, ultimately, how good will triumph over evil.
A new type of villain is running rampant in our midst, wreaking havoc on law firms
Unfortunately, a new type of villain is running rampant in our midst, wreaking havoc on law firms, businesses, government, and corporations, reliant on the use - and protection - of sensitive data. Unseen by human eyes, ransomware thieves enter your network, armed with a rogue computer code and an Internet connection, holding data hostage - costing businesses worldwide billions in ransom payments, downtime, and lost productivity. Recent ransomware attacks are unreported and the number is likely understated, as many companies try to avoid breaches.
For example, when a company has a breach, it comes with data breach costs which not only represent a large ransom and systems repair cost, but also a potentially large reputation hit impacting the firm's future business prospects that cannot be easily computed. A recent report about car-sharing giant Uber illustrated just such a risk for business. In 2016, Uber became a victim of a cyber attack, management paid a hefty ransom to keep the incident in the shadows - and then received a black eye and regulatory scrutiny when the incident finally came to light.
It is not enough for law firms to be aware or acknowledge that their network might have a potential issue. Global law firm DLA Piper published a whitepaper in June 2017 which warned about the rise in ransomware attacks and outlined some broad protective measures; three weeks later, the firm became the victim of a ransomware attack that disabled hundreds of thousands of computers worldwide.
In this first part of a multi-part series on emerging virtual risks and opportunities law firms face, we're going to take a look at both the obvious threats associated with ransomware - similar to those that most enterprises are grappling with; as well as the hidden threats that might be unique to your profession. Let's dive deeper.
Why firms should consider support management from managed service providers
At a very top level, it's critically important that businesses invest in the latest and most contemporary IT solutions program possible. Commercial, off-the-shelf cybersecurity suites represent a good start - they typically have some built-in protection and support against malware and viruses. Consulting a managed IT services company can provide innovative network solutions for the company as well. But without seamless integration into an overall protocol - and smart behaviors by all personnel who touch a company device - you're still vulnerable to attack.
Should law firms outsource their managed services support to experts?
Going beyond the off-the-shelf software support along with a good, custom-built security protocol can have myriad benefits for law firms, including:
- Have a qualified independent expert check and review your support; audit all your network and current practices to find any weaknesses in your existing protocols;
- Ensure that partners, associates, and other team members are engaging in best practices with handling sensitive client data including using centralized storage for all data, and taking shadow copies at regular intervals.
- Implementing updates and support to operating systems and browsers as soon as they are available.
- Examine device-specific policies when it comes to communication and uncover whether your users are using and have access to non-compliant or unsecured/unsanctioned software, SaaS, or managed cloud services (i.e.: Dropbox, iCloud, Google Drive, etc.) where threat, ransomware or virus can enter your company undetected.
Outsourcing IT solutions services is not enough data security
In recent years, an increase in online fraud and theft schemes targeting lawyers has been apparent even in small law firms. Outsourcing managed IT services for law firms is not enough business support. Managed IT services provide support for law firms but management should realize that their key partner in the fight against ransomware is the people within the organization. They should have support and guidance and be encouraged to be proactive in reporting back when suspicious emails are detected; avoiding the use of public Wi-Fi connection; only accessing the request of data files from secured devices that they need to use for their job; and ensuring the protection of their network, application, gateways, and other assets.
In many cases, all it took was opening something as innocuous as a personal Yahoo email by a lawyer on a networked PC in the company to unleash the ransomware code into the corporate ecosystem of law firms. One of the simplest and most effective next steps to take is to have a stated policy on what systems, and websites your people can use to support their work or operate office equipment and backup plans against external threats.
Sadly, one in three companies does not have written IT policies or protocols - meaning an attack isn't just a possibility, but a likelihood.
What a law firm should do to protect its services
We get it. Your business is reliant upon the free flow of shared information between your firm and your clients and vendors. Millions of bits of the data stream between you and your clients' servers each year - are transported via email or cloud computing and captured in products like AbacusLaw, Zola, Clio, PracticePanther, or even via broadly available general market platforms like DropBox or OneDrive.
However, with each exchange of information between firm and client lies an uncomfortable truth: A law firm - particularly one with a high profile, or a list of high-profile clients - is generally a much easier target for hackers who are all too interested to get their hands on that precious management information that law firms managed, or who want a secret backdoor entrance to the large corporation through a trusted provider. That is because most law firms rarely have the same high-level safety protocols, support, and dedicated IT staff, as their large and sophisticated corporate clients. And, that same vulnerability can also create potential liabilities for the firm that initially allowed the intrusion.
It's the kind of reality that keeps corporate IT pros up at night. A recent survey of IT decision-makers found that data security is the overwhelming top concern for two out of three IT decision-makers in a business, yet a similar number of respondents to the same survey lamented a lack of preparedness and backup against external threats.
Indeed, ransomware is also a significant risk to any law firm because it can also negatively impact its relationship with the courts. It would take just one ill-timed ransomware hit to cause a firm to miss important case milestones, such as filing deadlines - costing the firm far more than the Bitcoins being demanded by a cybercriminal, or, more to the point, than solid cybersecurity support protocol that would have prevented the breach, to begin with.
As such, we also recommend that every business takes the time to get an independent security and systems audit, to understand its total cybersecurity picture. It is essential to look at how data is transmitted, shared, and stored between your firm and your client's sites. Managed IT services companies can do that so you know what IT solutions and support, best fit your business. If potential threats are detected, it's not beyond the pale to insist upon stronger support services for law firms and protocols to ensure protection for both the firm and the client.
In our next blog, we'll dive deeper into law firm cybersecurity - looking at three steps you can undertake right now to assess your firm's current level of protection and support against ransomware and other economic cyber-attacks.
In the meantime, if you have any questions about your firm's managed IT solutions, please feel free to contact us or leave a comment below.
If you want to know what to look for in a Managed IT services provider, download our free IT checklist here.