Law firms warned to be vigilant against cybercrime
LEGAL INC. SUBSCRIBER CONTENT: Jan 30, 2015, 6:00am EST
Bea Quirk, Contributing Writer
At the Mecklenburg County Bar's recent monthly luncheon, the speaker, FBI Agent Colleen Moss, told attendees that although small and midsized law firms don't regard themselves as targets for hackers, they are. As supervisor of the Charlotte Division's Computer Intrusion Cyber Squad, she knows firsthand the firms' vulnerability, no matter the size.
"Anytime there's a large pot of money involved — escrow, a trust — you're going to be a target," Moss told the lawyers. "Criminals look for the fastest and quickest way to make the most money possible. If they find any other data that's usable and sellable on the Internet, that's fair game, too."
Hackers aren't always subtle in their attacks, as seen in a form of malware called ransomware that is gaining popularity. Hackers install a "cryptolock" on a company's files and won't provide access until a ransom is paid, says Clark Walton, an attorney at Alexander Ricks. He has a digital forensics consulting business and previously worked in cybersecurity at the Central Intelligence Agency.
Moss and Walton say regularly updating operating systems, firewalls and antivirus software is the best defense.
Email remains the entry point of choice for hackers. Moss says up to 85% of incidents stem from phishing emails — messages that look legitimate that ask the recipient to click on a link or open an attachment. That allows a hacker to install malware that infects the user's computer — and an entire system.
"These criminals are good at socially engineering emails that look legitimate or are designed to pull at your heart strings," Moss says.
One such effort surfaced last year, when hackers were found to have penetrated pharmaceutical companies and their outside advisers in banking and law. Emails were written in "flawless English" and tailored to recipients, who were duped into revealing information that allowed hackers to profit in stock trades, The New York Times reported.
Moss says information on a firm's website and employee Facebook pages can be used to create credible email. Even though employees of law firms are generally aware of the danger, Moss says they still fall for scams offering financial rewards in exchange for providing access to a checking account.
But law firms have a difficult situation to balance. They are businesses and need to respond to emails. They can't be ignored, even if they appear suspicious. Moss suggests employees contact their IT department, server host or a consultant. She also recommends reporting apparent scams to www.ic3.gov, an information clearinghouse for Internet crime.
If a law firm in North Carolina is hacked, the state's Identity Theft Protection Act mandates that customers and clients be informed. Moss also hopes a firm will contact the FBI, which might be able to curb additional damage. Doing so also helps the agency track criminals and can increase the public's awareness of current scams.
Both the state and national bars are aware of the growing problem. The N.C. State Bar released ethics opinions about cybersecurity, and the American Bar Association published a guide to security.
Moss says cybersecurity is often a matter of risk management. Law firms must consider the costs of security and their tolerance for risk. Small firms must do this kind of analysis as their work and communications are increasingly digitized.
"Smaller firms are moving more to technology so they can be more efficient," says Jason McGrath, partner at McGrath & Spielberger and chair of the Bar committee that organized Moss' presentation. "You have to invest in security once technology becomes your bread and butter. It's just common sense."