Outsmarting Cyber Crime: Tips from the eCrime Unit

Almost every day we hear about a cyber incident or a data breach from a well-known company. Law firms are attractive targets for cyberattacks because they have money, sensitive data, and less cybersecurity knowledge than other industries. In January 2024, the large law firm Orrick, Herrington & Sutcliffe was hit by a data breach where attackers had access to their system for weeks. The law firm is in the process of settling a series of lawsuits related to this breach in the U.S. District Court for the Northern District of California.[1] Ironically, Orrick is known for bringing lawsuits against other companies due to their data breaches.

Similar breaches also happened to law firms Kirkland & Ellis, K&L Gates, and Proskauer Rose.[2] These large law firms have the resources to hire dedicated information technology and cybersecurity professionals and yet they were still hacked. What does that mean for small law firms without dedicated cybersecurity resources? What should law firms do to protect themselves from cyber attackers?

By following recommended guidance, you can improve your cyber security practices and reduce the chances of being a victim of a breach. Here are a few steps any law firm can take to strengthen its security.

1. Require strong and unique passwords – Passwords should be long, random, and unique. They should contain a mix of numbers, upper case letters, lower case letters, and symbols. Many users use simple words or phrases for their passwords. Hackers have software that can automatically try logging into a user’s account using the most common passwords. If your password is a common name, sports team, superhero, food, or phrase, it can be easily guessed by hackers. If you want to see the most common passwords and tools hackers are using to guess your passwords, try googling the “RockYou” password list.[3]
2. Use a password manager – How can anyone remember a long random series of numbers, letters, and symbols? It is impossible. Instead of storing passwords in your head, or writing them down, you can use password management software. These programs generate random passwords, store them, and help you fill in passwords when you need to log into a site or system. Some reputable password managers include Bitwarden, 1Password, Dashlane, and KeyPassXC. Password managers can synchronize your passwords between different devices, including your phone, tablet, and computer. Is there a risk of storing all your passwords in a password manager? Yes, there is always some risk. However, security experts believe the risk of using a password manager is significantly less than the risk presented by weak passwords or password reuse.[4]
3. Set up multi-factor authentication (MFA)– If you have ever received a text message with a six-digit code to log into an account, you have already used MFA. MFA combines something you know (your password) with something you have (your cell phone) to increase your security. Text message MFA is better than no MFA. However, the phone number link makes this method susceptible to sim-swapping attacks where someone takes control of your phone account by tricking your carrier. To increase security, one should use an additional method of authentication, such as a phone-based authentication application or a hardware key. Some well-known authentication applications include Microsoft Authenticator, Duo Mobile, Authy, and Google Authenticator. Well known hardware keys include various YubiKey models or the Google Titan Security Key. This means an attacker who can learn or guess a user’s password will be unable to access the system without also having physical access to the user’s phone or hardware key.[5] This reduces the number of people who can hack you from eight billion to the handful of people who might have physical access to your phone or hardware key.
4. Encrypt sensitive data on your devices – Encrypting data on your device makes it unreadable by unauthorized people. When you are using a phone or computer to get work done, encryption does not matter much. However, if a device is lost or stolen, a thief can access data on the device. If the data is encrypted, it cannot be accessed without the password or access code for that device. Many years ago, encrypting data on your device meant dealing with performance penalties and slowdowns. Now, on modern devices, any performance hit is negligible to non-existent. Data on mobile devices and Macs are typically encrypted by default. Windows computers can use BitLocker software, which is included in Pro and Enterprise versions of the operating system.
5. Keep your software up to date – Keeping all your software up to date can be daunting. It usually requires waiting for a large download, waiting longer for the updates to install, and requires the device or software to restart. If you are restarting your phone or computer, all the applications you are using are closed and reset. If you are restarting your web browser, all your tabs and windows are closed. In short, updating software can be annoying. One way to deal with this issue is to set up automatic updates whenever possible. Some devices and software can be set up to update in the middle of the night or when not being used.
   Keeping software updated is important for security. When inadvertent bugs are found in software, software makers will update their software to fix the issue. At the same time, security researchers often publish the details of the bug. This information can then be used to attack devices running older unpatched versions of the software. It is especially important to keep your operating system (Windows, MacOS, Android, iOS) and web browser (Chrome, Edge, Safari) updated.
6. Back up your data regularly – Client files and legal work are some of the most important data controlled by a law firm. The best way to ensure you do not lose your data is to back it up regularly. Experts recommend backing up your data locally but also having backups offsite or in the cloud. Offsite backup ensures your data will be safe even if a disaster, such as a flood or fire, hits your law office. Using software that synchronizes files between computers such as OneDrive or Dropbox is not a backup solution. For example, if a hacker gains access to a computer with Dropbox and deletes files from that single computer, those deleted files will also be deleted on other computers with Dropbox installed, potentially resulting in data loss. This syncing or mirroring functionality, while convenient for day-to-day work, makes it unsuitable for backup purposes.
   The above suggestions are not meant to be comprehensive. However, implementing them will be a strong step towards making your law firm more secure and protecting your sensitive information. In addition to all the business reasons to keep your data secure, it also protects your clients, to whom you owe a duty of confidentiality.[6]
   [1] https://www.reuters.com/legal/litigation/law-firm-orrick-reaches-tentative-settlement-cyber-breach-cases-2023-12-21/
   [2] https://www.rollonfriday.com/news-content/kirkland-kl-gates-and-proskauer-hit-ransomware-attack
   [3] https://github.com/danielmiessler/SecLists/blob/master/Passwords/Leaked-Databases/rockyou-20.txt
   [4] https://www.cisa.gov/secure-our-world/use-strong-passwords
   [5] https://www.cisa.gov/MFA
   [6] See page 11 for “The Ubiquitous Threat of a Data Breach – Your Ethical Duties to Mitigate the Risks,” by Lorraine M. Walsh.