Canadian Law Blog Hall of Fame

2015 Canadian Law Blog Finalist

2014 Canadian Law Blog Finalist

2013 Canadian Law Blog Awards Winner

2011 Canadian Law Blog Finalist

2010 Canadian Law Blog Finalist

2009 Canadian Law Blog Awards Winner

2008 Canadian Law Blog Awards Winner

2007 Canadian Law Blog Awards Winner

2008 InnovAction Awards



  • Categories
  • Archives
    June 20th, 2022

     

    ♫ Listen
    Do you want to know a secret
    Do you promise not to tell, whoa oh, oh…

    – Music and Lyrics by Lennon-McCartney, recorded by The Beatles

    Back in December 2017, I wrote the following cybersecurity article as my regular column “PracticeTalk” for  The Canadian Bar Association’s BarTalk.

    I thought it was opportune to update it and republish it and here in light of current developments at Microsoft and elsewhere that take a positive step forward for security on the web.  While businesses take proactive steps to harden their online security, the same may not be true of families and individuals. With so many individuals working from home or in hybrid environments, I thought it was a positive step for Microsoft to announce that they have made the Microsoft Defender app, a new online security application for Microsoft 365 to Personal and Family subscribers beginning June 16, 2002.

    What does Microsoft Defender App do? For one, it reaches across multiple operating systems and devices, since most families have a mix of Windows, macOS, iOS, and Android devices in their households. I believe this is a major step forward in viewing security from an overall ownership perspective rather than on an operating system or device-centric perspective.

    Secondly, what does it do? Microsoft states:

    Microsoft Defender App includes continuous antivirus and anti-phishing protection for your data and devices,  and will enable you to:

    • Manage your security protections and view security protections for everyone in your family, from a single easy-to-use, centralized dashboard.
    • View your existing antivirus protection (such as Norton or McAfee). Defender recognizes these protections within the dashboard.
    • Extend Windows device protections to iOS, Android, and macOS devices for cross-platform malware protection on the devices you and your family use the most.
    • Receive instant security alerts, resolution strategies, and expert tips to help keep your data and devices secure.

    You can get the link to download Microsoft Defender for all your devices here: https://www.microsoft.com/en-ca/microsoft-365/microsoft-defender-for-individuals?rtc=1 

    Here is the original column:

    We don’t have to worry about being hacked. We are one of the biggest law firms and have a whole department concerned with IT Security.” However, Bloomberg Law reported that Mandiant, a cybersecurity firm has stated that 80 of the 100 biggest US law firms have been hacked since 2011.

    We don’t have to worry about being hacked. Hackers only go after the big fish, not us.” But, parachute.cloud reported that: 28% of all data breaches involve small businesses in 2022.

    The fact is that while large law firms can throw considerable resources at cybersecurity, hackers are also throwing large resources back at them seeking valuable confidential information for resale on the black market. After all, information is money. Smaller law firms are also targeted on the basis that they are easier to attack and criminals can demand quick cash by holding a law firm’s data hostage. Such ransomware attacks are high in volume and don’t require any middlemen.

    In Law Firm Data Hack, Part 1 in lawpracticetoday.org, Sharon Nelson and John Simek stated that: “Nearly 50 law firms were targeted by a Russian cybercriminal who posted on a cybercriminal forum seeking a hacker to collaborate with him. He hoped to hire a black-hat hacker to handle the technical part of breaking into the law firms, offering to pay $100,000, plus another 45,000 rubles (about $564). He offered to split the proceeds of any insider trading 50-50 after the first $1 million.”

    Cynet.com reported that a Providence law firm was held hostage for a $25,000 ransom. However, the decryption key initially failed to work and the firm had to pay more. It lost $700,000 in billings alone.

    Large or small, a law firm’s secrets, reputations and finances are placed at risk in a hack. As a result, managing partners of all sizes of law firms have yet another thing to worry about.

    There are two major components to law firm security. One concern is the vulnerability of the system’s hardware and software. The other concern is the vulnerability of the “carbonware” – or in other words, the humans using the system.

    According to LexisNexis, there are six key security steps for law firms to take.

    • The first is to put all your IT security policies in writing and hold training sessions around them to maximize security awareness for all employees.
    • The second is to inventory all your data and detail who has what permissions or control over the various parts of the system.
    • The third is to only grant access on a “need to know” basis. That way, even if someone’s credentials are hacked, the hackers don’t get access to your entire system.
    • Fourthly, keep all your systems updated and patched. I am amazed at the number of lawyers who are still using outdated browsers, operating systems and anti-virus suites.
    • Fifthly, ensure that you have adequate insurance that will cover you depending on your loss (see Insurance Issues: Risk Management, 2017: No. 2 Summer – a Guide to Insurance for Private Practitioners by the Law Society of BC).
    • Lastly but not least, have a “breach ready” response plan so you have pre-planned how to respond if you experience a cyber breach. The boy scouts’ advice on “Being Prepared” applies here!

    By taking steps now, you can diminish the possibility that your reputation and financial well-being will be damaged by a hack. After all, you don’t want someone asking if someone wants to know one of your secrets….

    What steps can you take to protect yourself and reduce the possibility that you will be hacked aside from installing Microsoft Defender?

    A selection of the top tips (this article, which originally appeared in 2017 has been updated to 2022):

    • Use strong passwords and a password manager. CyberNews.com  has a great article on creating a strong password and recommended password managers. Most password managers will generate strong passwords for you. GRC.com and other sites will generate a new, unique strong password for you every time you visit (that you can then copy and paste into a password manager, such as Keychain for the Mac). WireCutter in the New York Times reviews the best password managers for 2012. Don’t use the same password everywhere and don’t keep passwords in a document on your PC!
    • Use two-factor authentication. This inserts an extra step before you can sign into websites to access email, Facebook and others. The site sends a code to your phone by text that you have to enter after entering your name and password. Without this code, the website won’t let you in. Even if hackers gain your password, without access to your phone they are locked out. Cloudflare.com has a useful article on two-factor authentication and how to use it. TechRepublic.com has a PDF, written for non-techies, along with links on how to set up two-factor authentication on many services. You have to sign up to TechRepublic but it is free. (PDF: How to set up two-factor authentication for your favorite platforms and services.)
    • Be careful with emails! Email phishing scams come in many forms. MalwareBytes.com has a great article: What is Phishing  and How You Can Protect Yourself.
    • Protect your mobile devices. Cellphones are tantalizing devices for hackers seeking ways to break into business networks. The PreyProject.com has a great article on the 20 ways to secure your mobile phone with tips for both iPhones and Android. Rogers.com reported that nearly 1 in 4 people will experience loss, theft or damage to their wireless device in 2017. Unfortunately, I could not find an equivalent statistic for 2022.
    • Take steps to protect your business from ransomware. Cbia.com published Fourteen Tips to Protect your Business from Ransomware attacks. I would add one more tip: Back your data up in a secure, encrypted online storage service such as sync.com. Cloudwards.net has a review of sync.com and lists it as the best cloud storage in Canada. Sync.com is the overall winner as it is a zero-knowledge storage service (meaning that they have end-to-end encryption and you and only you have access to the decryption keys).

    When it comes to IT, one can think that you have adequate protection, that is, until you get hacked. I looked for Canadian data, but Cloudwards.net reports that:

    • Ransomware cost the world $20 billion in 2021. That number is expected to rise to $265 billion by 2031.8,
    • In 2021, 37 percent of all businesses and organizations were hit by ransomware.
    • Recovering from a ransomware attack cost businesses $1.85 million on average in 2021.
    • Out of all ransomware victims, 32 percent pay the ransom, but they only get 65 percent of their data back.
    • Only 57 percent of businesses are successful in recovering their data using a backup.

    Spending money on security and prevention is always money well spent.

    (originally published in PracticeTalk and Tech Tips in the Canadian Bar Association’s BarTalk magazine:

    https://www.cbabc.org/BarTalk/Articles/2017/December/Columns/Guarding-Your-Confidences

    https://www.cbabc.org/BarTalk/Articles/2017/December/Columns/What-steps-can-you-take-to-protect-yourself-and-re)

     

    © 2022 David J. Bilinsky

    This entry was posted on Monday, June 20th, 2022 at 12:12 pm and is filed under Issues facing Law Firms. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
    Leave a Reply