Granted, we are geeks. And yes, we get excited every year when Verizon releases its annual data breach investigation report. The Verizon 2022 Data Breach Investigation Report (DBIR), like all of its predecessors, is full of reliable information that law firms need to know. Access the report at www.verizon.com/business/resources/reports/dbir/.
One of the stunning revelations this year is that roughly four in five breaches arise from organized crime. The quaint notion of disheveled individuals sitting in a chair, drinking endless caffeine-laden beverages, and eating lots of pizza while hacking has given way to criminal cartels, which operate much as American mobsters once did, right down to crime-syndicate leaders who make people offers they can’t refuse.
Many of the cartels, unsurprisingly, are in Russia, where their activities are tolerated and perhaps encouraged by the government. Just as with American crime syndicates, there is often some level of cooperation between the gangs – attacks and data leaks are coordinated, and they may share intelligence and even infrastructure.
By pooling their information about evading security software and dodging law enforcement, they increase their power and their ability to conduct successful attacks. The U.S. government, at long last, is laser-focused on these cartels and sharing information with foreign governments, offering bounties for information about the gangs, upping the ability to trace cryptocurrency transactions, and establishing new sanctions, as well as imposing mandatory requirements on some entities to report data breaches.
New Data on Breaches – and the Human Element
The Verizon DBIR is now in its 15th year. The 2022 DBIR was based on 23,896 security incidents, 5,212 of which were confirmed intrusions. This article gives highlights of the 107-page report.
Sharon D. Nelson is a practicing attorney and the president of Sensei Enterprises Inc. She is a past president of the Virginia State Bar, the Fairfax Bar Association, and the Fairfax Law Foundation. She is a coauthor of 18 books published by the American Bar Association.
John W. Simek is vice president of Sensei Enterprises Inc. He is a Certified Information Systems Security Professional, a Certified Ethical Hacker, and a nationally known expert in the area of digital forensics. He and Sharon Nelson provide legal technology, cybersecurity, and digital forensics services from their Fairfax, Virginia firm.
Michael C. Maschke is the CEO and director of cybersecurity and digital forensics of Sensei Enterprises Inc. He is an EnCase Certified Examiner (CCE #744), a Certified Ethical Hacker, and an AccessData Computer Examiner. He is also a Certified Information Systems Security Professional.
A tiny bit of good news: In 2021, a human element was involved in data breaches 85% of the time, and that percentage has dropped to 82% in 2022. But although the numbers are headed in the right direction, there is little comfort in how high they generally remain.
What are humans doing? They are falling for social engineering attacks, clicking where they shouldn’t click, opening documents they shouldn’t open, and trying to evade the restrictions imposed by their cybersecurity policies and technologies. They use weak passwords (if allowed). They share passwords and reuse passwords. They let their browsers remember their passwords. They resist any implementation of multifactor authentication.
Notably, humans misconfigure cloud storage. Typically, a cloud breach is not the cloud’s fault – a user configures things incorrectly and thereby issues an engraved invitation to the hacker world.
The list of human mistakes is endless. This is one reason why security awareness training is so vital – particularly for law firms, which hold the confidential data of many people and entities.
Insiders or Outsiders?
As the DBIR notes, it is common to see stories about the prevalence of insider attacks. However, the statistics don’t bear out that prevalence. Nearly three out of four cases exhibited evidence of the attack coming from an outside source. Internal sources accounted for only 18% of incidents.
While we find that statistic creditable, we note (as the DBIR itself does) that insiders are sometimes very adept at hiding their involvement in malicious activity!
Ransomware Statistics
Law firms, like all other entities, have been targeted by ransomware gangs. Ransomware made up 25% of security incidents between Nov. 1, 2020, and Oct. 31, 2021, and was used in 70% of all malware infections.
How do ransomware gangs get through defenses? They steal credentials or buy them on the dark web. They use phishing attacks, and they exploit vulnerabilities.
As noted in the DBIR, 75% of ransomware incidents involved an intrusion exploiting desktop-sharing software (40%) or email (35%).
Perhaps the most dire warning emanates from the fact that ransomware attacks increased 13% year over year. That represents a larger increase than the previous five years combined. And still the hits keep coming.
Though law firms have heightened their defenses, the ransomware gangs have gotten smarter too, so we play an endless cat and mouse game, in which the mouse often, but not always, evades the cat.
Money Makes the World Go Round
Money makes the world go round, as a song from Cabaret points out. So it is unsurprising that the report found that the motive in 89% of breaches was financial; in the remaining 11%, the motive was espionage. Nation-state affiliated cyberattacks continue to increase in sophistication.
While the U.S. government is following a “Shields Up!” defense strategy, the United States has been late to the game – but, it is hoped, not so late that U.S. businesses and individuals cannot catch up and get ahead of criminals. Lawyers should keep in mind that law firms are a “one-stop shop” for cybercriminals because they hold the data of so many entities.
The strength shown recently by the U.S. government in its war against ransomware and other cybercrimes is encouraging. It might take time to develop cyber defenses that result in unseating the leaders of cybercrime. But that’s okay. In the words of a long-lived proverb, “revenge is a dish best served cold.”
» Cite this article: 95 Wis. Law. 53-54 (November 2022).