ABA Techshow: Your Information is Digital and YOU Need to Know Digital Security
ABA Techshow started out with a bang this morning at the heavily-attended session titled “Your Information is Digital and YOU Need to Know Digital Security.” Presented by Kenneth Lyons, senior manager of IT engineering and security at O’Melveny & Myers LLP, and Matt Kesner, CIO of Fenwick & West, LLP, the session covered the security practices all attorneys should be following in their respective firms.
First off, the two addressed why digital security is even a concern. Well, in the last two years, they explained, law firms have increasingly become targets of data attacks. Eighty to 90 percent of law firms have been breached or are infected with malware, according to Lyons. And now, more than ever, lawyers are being spear phished.
Spear phishing is the number one threat today in terms of digital attacks, according to the panelists. Spear phishing is essentially a fraudulent attempt to access confidential information targeting a specific organization or person through email spoofing or social media. It was the most dangerous type of attack in 2014, with a 400-600 percent increase in attacks. And don’t be fooled – these attempts almost always get past spam filters.
The panelists walked through the typical behavior they see around an average phishing attempt. First, an attorney gets an email from a client, so naturally they assume that it’s legit. Then they click on the attachment or URL included in the email without thinking twice. If that fails (which is usually does), they do it again and sometimes forward it to others in their firms to see if they can open the attachment or URL. Once that doesn’t work, they call their IT department to complain the system isn’t working, at which point the IT people tell them they were a victim of a phishing attack.
The panelists stressed the importance of employee training in the area of digital security. “Make sure your employees are aware and know that if anything looks suspicious, pause,” said Lyons. Added Kesner, “Every time you get an email that is slightly suspicious, you should assume that it is trying to do bad things. They want your client data.”
How do you know if an email is an attempt to gain access to data? Look for odd punctuation, misspelled words, or anything that raises the curiosity that this is unusual, according to Kesner. Also, spear phishing attacks always stress urgency. “If we get a request to do business with someone we haven’t done business with in more than three years, especially in an urgent timeframe, we need to investigate the request,” said Kesner.
So what steps can law firms take to combat this? The panelists laid out these simple steps:
- Be aware and use caution if an email seems suspicious.
- Don’t just use passwords. Use two-factor authentication, which should be looked at as “the second lock on your door,” according to Kesner. Use two-factor authentication for bank/finance information, email, cloud storage, social media, remote access, and eDiscovery vendors. “It will be the big issue over the next year,” added Kesner. “You need to do it and you’ll be ahead of the game.”
- Only give employees and contractors the access they need, when they need it. Do background checks on new people who come in, and close out their credentials when they leave. In fact, de-authorize their IDs that very day, and gather their equipment (security cards and keys). Kesner also suggests verbose logging, which is a computer logging mode that records more information than the usual mode. Verbose logs create large log files, giving you a snapshot of all computer activity.
- Understand your data. “The average business has 30 things running, but if you ask them what they have they’ll usually give you 3 or 4 answers,” according to Kesner. “No one knows where their stuff is anymore.” The panelists suggest taking an inventory of your computers, cloud (Dropbox, Facebook, Twitter), IM systems, smartphones, flash drives, external hard drives, servers, and voicemail, as well as who has access to all these things.
- Use full disk encryption on your laptop.
- Always use 4G before WiFi since it’s more secure.
The panelists ended with one piece of valuable advice, which is “Grandma’s data backup rule”: If it isn’t in three different places, then it isn’t backed up.