In mid-December, I discovered that I was the victim of credit card fraud. It turns out that someone had opened four credit cards in my name and used one of the cards to charge about $600.00 worth of merchandise. I did not realize it until I received a bill from a merchant that I have never used. The fraud was not that high tech. We believe that someone who may have had access to paper records (i.e., doctor’s offices) used my name and address to get a credit card. We caught it immediately and contacted the credit card companies and credit bureaus and cancelled all cards and put a credit alert on my credit report.
This was a nuisance, and we have taken all the necessary steps to shut it down, but with the fiasco with the Target data breach, it started me thinking about cybersecurity for law firms, especially small law firms. The Target data breach, although prominent in the news, was just one of 619 breaches in 2013 according to the Identity Theft Resource Center.
This month’s article is going to give a summary of some of the many issues your firm needs to address to protect you, your firm, your employees, and your clients. You are responsible for protecting both your employee’s and your clients’ data and information. This is such a serious problem that at least 46 states have enacted data breach notification laws that require a company to promptly inform individuals of security breaches involving personal data that might expose the individual to identity theft or financial fraud.
Although the risks and dangers are real, it is important to remember that we are not going to stop using technology in our daily lives. Nonetheless, it is important to learn what the dangers are and take steps to protect your firm. The solution is not to stop using technology (or credit cards) but to start using technology safely.
Here are some questions – taken from LawPRO Magazine’s “The Risks and Dangers are Real” article, published in the December 2013 issue – that you need to answer in order to determine how vulnerable you may be:
- Are your passwords secure enough?
- Would you or your staff be duped by a phishing message?
- How would your firm respond if one of its servers was hacked?
- Is your anti-malware software the most current version and is it updated?
- Could you tell if your computer had malware on it?
- Are your computer’s security settings adequate?
- Is there a backdoor into your network?
- What would happen if a firm laptop or Smartphone were lost or stolen?
- How would you deal with a major data theft by an ex-employee?
- Is your home computer safe?
One of the greatest threats to firm (and personal) computers is through malware, short for malicious software. It is defined as “software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.” There are many different types of malware (which include viruses, worms, Trojans, spyware, adware, rootkits, scareware, ransomware, keyloggers, and others) that are being created even as I write this article.
Some of the symptoms of an infected computer are:
- Your computer is running slow.
- Pop-ups telling you have a computer virus.
- Unexpected PC behavior including with your browser.
- Antivirus and firewall protection is unexpectedly disabled.
- Unfamiliar and peculiar error messages.
- Unexpected spam being sent from your computer.
- New icons on your Desktop that you do not recognize.
- Your files or data have disappeared.
- Web pages slow to load.
- Space on your hard drive is disappearing.
For a good article on symptoms for specific types of malware, see www.malwarehelp.org/symptoms-of-infection.html.
How to Minimize Your Risk
It is impossible to completely prevent problems, but there are many steps you can (and should) take to minimize your risk of being the victim of these cybercrimes.
- As a solo or small firm practitioner, it all starts with you as “senior management,” just as it is in large firms with IT experts and staff.
- Start with technology use policies and review them with your staff and adhere to them. (Examples of some technology use policies)
- All staff must be part of the solution to minimizing risks. Depending upon your particular firm staffing, either you or someone on your staff should be responsible for regularly reminding everyone to be vigilant. I recommend having quarterly or semi-annual staff meetings to review some of the policies. These meetings do not need to be long or tedious. Regular reminders let staff know you are taking these policies seriously.
- Again, depending upon your firm’s size, you may not be able to have a full-time IT person on staff. While you should have someone who understands some of the issues, you should work with someone who understands security issues. Ideally your security consultant should have some experience working with law firms.
- Install anti-malware and antivirus software and keep it up to date. If you or someone on your staff is not able to do that, then you need to pay your consultant to make sure that all your software is updated.
- Take password protection seriously. (Read “Five Tips to a Good Password,”) Do not share passwords, and change passwords regularly. Consider using Strong Password Generator if you are not willing to put in the time and energy to create strong passwords.
- Learn how to spot “Phishing” scams and make certain your staff understands and can recognize these scams. According to Tech Target, “Phishing is an e-mail fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients. Typically, the messages appear to come from well-known and trustworthy Web sites.”
- Beware of email attachments.
- Be very careful when using file sharing sites. Make certain that you understand how they work and are certain they are secure.
- Have a firewall on your Internet connection.
These are just 10 suggestions to start to minimize your risk. There are many more and we will have information on the MSBA website and include additional information in the January Tech Tips which will be sent on Tuesday, January 28. Watch your email for Tech Tips.
Also, the January/February, 2014 issue of the MSBA Bar Journal is on CyberSecurity.