Practical cybersecurity for law firms: How to batten down the hatches
We’re quickly approaching 2018, and a week doesn’t go by without another variant of malware causing havoc across the globe. First it was the WannaCry ransomware worm, which infected more than 230,000 computer systems in over 150 countries, demanding ransom payments in exchange for the decryption of files. More recently, a new variant using code from the Petya ransomware (named “NotPetya”) struck first in Ukraine, followed by other European countries, and disabled critical utility services, such as the radiation monitoring system at the Chernobyl nuclear power plant, as well as affecting the countries’ banks and commuter systems.
What caught the attention of lawyers was an apparent infection in one of DLA Piper’s European offices that brought the law firm’s normal operations to a halt. As we write, the extent of the damage is still unclear.
Times have changed since CryptoLocker first ran wild in 2013, but the results are still as devastating. The costs of ransoms have significantly gone up from a few hundred dollars to the $1,000-plus range for the decryption key to unlock the affected files—and more than half of those who pay up do not receive the decryption key. So much for honor among thieves!
Ransomware has continued to evolve and is the primary security concern for businesses of all types and sizes.
How do you protect your firm from ransomware, malware and other cyberthreats? Before we get started, as we say all the time (and it rates boldface type), there is no silver bullet that protects against all ransomware. Or all malware for that matter. If a vendor promises you a 100 percent solution, you are being sold a bill of goods.
BACKUPS
Backups are key. Back up all of your data. Don’t forget to periodically conduct a test restore of the data and make sure your backups are impervious to ransomware—either backed up in the cloud or agent-based. (Talk to your IT provider to learn more.)
Backups should be encrypted with a user-defined encryption key, whether on-site, off-site or stored in the cloud. If using a cloud vendor, the vendor should not have access to the decryption key. Encryption should be treated as a must—no questions about it.
The simple solution for most solo or small-firm lawyers? Use an external USB hard disk. Unplug the hard disk after the backup job completes. Just make sure you have at least two USB hard disks and rotate them in case you are attacked while one disk is connected.
PASSWORDS
Develop a password policy. The recommendations for password policies have recently changed. We still live in a password-driven world, but the final guidelines from the National Institute of Standards and Technology for the federal government have now been published. (See Digital Identity Guidelines, SP 800-63-3, on the NIST website.)
While this publication applies to government agencies, it represents new thinking that is sure to be embodied in the NIST Cybersecurity Framework, draft version 1.1, which is in the process of being finalized. NIST is phasing out the requirement of periodic password changes, which has been the foundation of password policies for many years.
Other recommendations include using a length of at least eight characters and choosing a passphrase rather than a password. Some applications and devices allow users to include spaces and even emojis, which users can now include when setting their passphrase.
Do not use dictionary words, as these are susceptible to brute force. Also, make computers require screen-saver passwords, and ensure that passwords are needed after a reasonable period of inactivity.
Newly included is checking all passwords against a database of known compromised passwords, which will of course eliminate all of the dreadfully easy passwords users are so fond of employing.
Users should never share their passwords, write them down or reuse the same passwords anywhere. It is particularly important that credentials used to access a law firm network never be used anywhere else. The use of a password manager can make this task quite easy.
Consider enabling two-factor authentication when available. Biometrics alone are not a good solution—once your biometrics are stolen, they will always be stolen. Remember the 5.6 million fingerprints stolen in the U.S. Office of Personnel Management data breach? You can’t change your fingerprint.
A password policy should be part of an overall comprehensive security program, which should also encompass an incident response policy, disaster recovery plan and social media policy, to name a few.
The authors are, respectively, the president, vice president and CEO of Sensei Enterprises, a legal technology, cybersecurity and digital forensics firm based in Fairfax, Virginia. This article appeared in the October 2017 issue of the