Simulations test law firm system security
Getting attorneys to update their practices is critical for the issue that concerns him the most: phishing. “No one is attacking our firewalls anymore; they’re attacking us,” Sawyer says.
Historically, a hacker would attack the firewall to try to enter the system. Now, he says, phishing emails prey on human folly to enter the system, and they’ve changed significantly in the last two years. With increased phishing attempts, he says, employees are the target. To that end, this means “we rely on the technology, but we don’t rely on it exclusively.” He adds that “our security [is] more about people than technology.”
Sawyer says there are key components to the program’s success, which include constant outreach, firmwide communication, and the support from the firm’s leadership to implement firmwide security protocols.
For outreach and communication, he initially sent monthly newsletters that had introductory security tips, such as do not give your child a password to a work computer. Over time, as the newsletter became more targeted, he began to provide CLE credits for security trainings, and he sends a “Phish o’ the Day” email that illustrates phishing attempts that evade the spam filter, which he says come about one every two minutes.
Sawyer’s focus on phishing attempts is well-placed. The same Cisco report says spam makes up 65 percent of email traffic, and up to 10 percent is malicious. That rate is climbing because of the increased use of botnets, a network of private computers infected with malicious software that gives control to a third party.
A CONSTANT PROCESS
Threat assessment, at its core, gets to the bigger questions, such as “What are you storing and why? And what you are communicating and how?” says Shauna Dillavou, principal at Security Positive, a security consultancy in Washington, D.C.
The assessment process, like a risk audit, allows firms or individuals to find their vulnerabilities and build procedures around those unique risks. Dillavou says this process is important because “guides that tell you to do ‘these three things’ aren’t for everybody.”
With communication being critical, Jill Rhodes, chief information security officer at Option Care in Chicago and co-editor of The ABA Cybersecurity Handbook, says cybersecurity is serious, but “the delivery of the message doesn’t necessarily need to be.”
Rhodes helps clients create cartoon mascots to reinforce security awareness. At Option Care, which provides at-home IV treatments, its mascot is a syringe called “the Infuser” that wears sunglasses and a cape.
“When people see that, whether or not they realize it, they refer back to information security,” Rhodes says. This, coupled with other initiatives, creates repetition that reinforces the message, she says.
Strong cybersecurity requires repetition, and it also requires constant revision. Bro of the ABA Cybersecurity Legal Task Force says completing an assessment or attending a training is not the end of the process. Cybersecurity “is not a destination,” she says. “It’s a journey.”
This article was published in the February 2018 issue of the ABA Journal with the title "Game Theory: Lawyers are turning to simulations to test how safe their systems are."