According to the Cisco/Cybersecurity Ventures 2019 Cybersecurity Almanac, “more than 90 percent of successful hacks and data breaches stem from phishing scams, emails crafted to lure their recipients to click a link, open a document or forward information to someone they shouldn’t.”1 By 2021, it is predicted that businesses will fall victim to ransomware attacks every 11 seconds.2 Ransomware damage costs are expected to be 57 times more in 2021 than in 2015.3
Security professionals agree on common ransomware prevention and recovery strategies. It is recommended that organizations educate and conduct ransomware testing of employees, implement business continuity protocols, and run stress tests on backup systems. Ransomware attacks continue to persist, in part, because businesses do not think they will fall victim. Other reasons for inaction are the mistaken assumptions that prevention and recovery strategies are cost prohibitive or are too burdensome. However, there are cost-effective procedures, strategies, and systems that firms can easily implement to counter ransomware attacks.
What is Ransomware?
The Federal Trade Commission (FTC) ransomware guide indicates how businesses fall victim to ransomware attacks:
-
Scam emails with links and attachments that put data and the network at risk. These phishing emails make up most ransomware attacks.
-
Infected websites that automatically download malicious software onto a computer.
-
Server vulnerabilities that can be exploited by hackers.
-
Online ads that contain malicious code – even on known and trusted websites.4
Once a device has been infected, hackers usually demand payment of a ransom, typically in Bitcoin, to unlock or provide access to the device or files.
Preventing Ransomware
Law firms should focus on awareness and training, according to Tom Watson, senior vice president and director of marketing and communications for Wisconsin Lawyers Mutual Insurance Co. (WILMIC). “Because end users are targeted, employees should be made aware of the threat of ransomware and how it is delivered and be trained on information security principles and techniques.”5 Training is a vital component because “[e]ven if you have the best security system in the world, if you have click-happy users, they are going to get you in trouble,” says Michael J. Eichacker, IT services manager for Ruder Ware LLSC.6 The FTC’s website includes free training resources, videos, and quizzes that can be provided to employees.7 Google also has a free website dedicated to quizzing users on phishing attacks.8
Christopher C. Shattuck, Univ. of La Verne College of Law 2009, M.B.A. U.W.-Oshkosh 2015, is manager of Practice411™, the State Bar’s law practice assistance program. If you have questions about the business aspects of your practice, call (800) 957-4670.
Training should be accompanied with written policies and procedures concerning data security. Sample policies and procedures are free to download and can easily be modified to capture the necessary information for your firm.9 The policies and procedures should, at the very least, outline security in workstations, passwords, networks, servers, email usage, encryption protocols, acceptable use of confidential information, and remote access.10
From a software perspective, firms should consider “investing in a firewall, spam filters, patching devices, and antivirus and malware software.”11 “A spam filter attempts to keep either nuisance or malicious emails out of your system completely and a firewall keeps people from randomly coming into your system. A firewall is like a lock on your interior door, and the spam filter is the person outside of the door that keeps people from accessing the interior door. The next layer of protection is to make sure that your devices are patched with updates. The final layer is to ensure that computers have current antivirus and malware protection.”12
No software by itself is capable of preventing a successful ransomware attack. Therefore, law firms should also have sufficient data backups to access information in the event devices become infected. When creating backup systems, remember the rule of three: 1) have local, isolated backup systems; 2) store your data in different types of devices (cloud, external isolated hard drive, or other type of unconnected media); and 3) back up data on a device located outside your office’s geographical area.13
Recovery Strategies
Once a law firm has systems in place, it is important to test those systems. Hackers can more easily exploit vulnerabilities when software systems are not regularly updated or patched. Backup systems can become corrupted or fail to capture necessary information.
A data breach response plan should outline the strategies the firm has in place to address data breach or loss. A sample plan can be downloaded for free and should include the firm’s 1) response team, 2) methods for identifying or detecting incidents, 3) analysis of issues leading to the breach or loss, 4) any required employee and client notifications, and 5) additional reporting requirements. This plan should be made in conjunction with the firm’s IT disaster recovery plan.
Once a device has been infected, hackers usually demand a ransom, typically in Bitcoin, to unlock or provide access to the device or files.
An IT disaster recovery plan should provide a roadmap for the firm to recover from successful threats against its IT infrastructure. These plans can also be downloaded for free and should include the names of the people on the firm’s disaster recovery team, procedures for restoring access to information and systems, vendor and insurance contact information, information regarding alternative worksite or remote access, guidelines for notifying clients, and financial and legal options.14
Another recommendation is to consider obtaining cyber and crime insurance. Many lawyers mistakenly assume that malpractice insurance will provide coverage for harm caused by cyberattacks or crimes.15 However, nearly every insurance policy excludes coverage for certain events. Therefore, lawyers should review their current insurance policies and ensure there are proper coverages for different scenarios.16
Regular Testing
An organization shouldn’t stop after training and implementing new procedures and systems. Testing new procedures and systems will provide added value to the improvement process. Simulating data breach or disaster recovery scenarios allows law firm personnel to become more familiar with and improve plans.
After plans are tested, an internal report should be created outlining strengths, weaknesses, opportunities, and threats. Once improvements are implemented and inefficiencies eliminated, the plans should be tested again. Typically, improvements can be made in ensuring proper recovery times, sufficiency of data backups, access to information, notifications to affected personnel or clients, and having sufficient qualified substitutes in the event some personnel are unavailable. Data breach and disaster recovery plans have sensitive information and should only be shared with vital personnel.
From a software perspective, firms should consider “investing in a firewall, spam filters, patching devices, and antivirus and malware software.”
Ethical Obligations
According to ABA Formal Opinion 482, “[l]awyers must understand that electronically stored information is subject to cyberattack, know where the information is stored, and adopt reasonable security measures. They must conduct due diligence in selecting an appropriate repository of client information ‘in the cloud.’” Wisconsin Formal Ethics Opinion EF-15-01 reinforces the knowledge responsibility by indicating that a basic understanding of cybersecurity knowledge is an essential requirement of lawyer competency.
A good starting point for lawyers is to determine who, what, when, and where. For example, who is storing and has access to client information, what type of security protocols are in place, when is the data backed up, and where is the information being stored? If lawyers are unable to answer these basic questions, it would be extremely difficult to prevent or recover from a successful ransomware attack.
Conclusion
Countless articles and resources about ransomware attacks exist. The literature serves an important function to educate and remind the public of the continuing threat of ransomware attacks. However, many lawyers still do not take sufficient steps to prevent or recover successfully from ransomware attacks. Lawyers are not unique in this regard; many small and even large organizations fall victim. So, what can be done?
Educating employees and implementing procedures to address ransomware attacks are steps in the right direction. There is a common misconception that educating employees and implementing protocols will be cost prohibitive. However, law firms and other entities that have thwarted or recovered from ransomware attacks will attest that the reverse is true: failing to implement successful strategies may cause the recovery of your business to be cost prohibitive.
Remember, you are not alone in your fight against ransomware attacks. In addition to the resources and recommendations provided in this resource, you can contact Practice411™ for confidential consultations, attend continuing legal education sessions, and stay up to date on recent threats by joining the Practice411 electronic list.
Consider sharing your experiences and successes with others to help further promote awareness. Increased discussion and awareness within the legal community will help decrease the number of lawyers and firms affected by ransomware attacks.
Turn to the State Bar to Help You Manage and Protect Your Practice
As a State Bar of Wisconsin member, you have an extensive system of support at your fingertips. In partnership with M3 Insurance, members can obtain greater protection with cyber security, option bond or crime policy, and expanded bond coverage.
Cyber security insurance. Coverage is tailored to your firm’s size and needs and can include these areas: cyber extortion (such as ransomware), business interruption, data reconstruction, website liability, breach response mitigation expenses, and more.
Optional bond or crime policy. This coverage helps lawyers comply with the amended trust account rule, SCR 20:1.15(f)(3)c.2. Coverage encompasses employee dishonesty, forgery or alteration, computer fraud, money orders and counterfeit currency, funds transfer fraud, partners inclusion endorsement, social engineering fraud, and loss of clients’ property.
Expanded bond coverage. Expanded bond coverage is available for the following areas: court bonds (appeal, attachment, bankruptcy trustee, injunction, receivership, release of lien, replevin, sheriff indemnity, TRO); probate bonds (administrator, conservator, guardian, trustee); notary bonds (individual); notary errors and omissions (individual or business); and title agency or agent bond.
See 1, 2, 3 … New Member Benefits to Help You Manage and Protect Your Practice, InsideTrack (Sept. 19, 2018).
How Can You Protect Your Assets?
Do not rest on your firm’s cyber success laurels. A cyberattack can happen to firms of any size and at any time. To determine whether your firm is properly protected, take the following steps.
1) Review current insurance policies to determine the appropriate scope of coverage.
2) Determine the amount of coverage and protection you would like your law firm to have.
3) Have discussions with providers to determine costs and appropriate policy limits.
4) Ready to sign up? Visit www.wisbar.org and log in. Under the forMembers tab, click Membership & Benefits. Next, click Member Benefits and review the Cyber Insurance, Crime Coverage Insurance, and Surety Bond Coverage Insurance links for information on how to obtain insurance.
5) For additional assistance, contact the Practice411™ program for a confidential consultation, (800) 957-4670.
Discover the benefits of State Bar membership. Visit wisbar.org/member.
Endnotes
1 See Cybersecurity Ventures, 2019 Cybersecurity Almanac: 100 Facts, Figures, Predictions and Statistics (Feb. 6, 2019).
2 Id.
3 Id.
4 See Fed. Trade Comm’n, Cybersecurity for Small Business: Ransomware, (last visited Aug. 8, 2019).
5 Thomas J. Watson, Scam and Hackers: They’re Not Going Away!, Wis. Law., June 2016.
6 Christopher C. Shattuck, What's Hot, What's Not: Wisconsin Practice Trends 2019, Wis. Law., Feb. 2019.
7 See Fed. Trade Comm’n, Cybersecurity for Small Business, (last visited Aug. 8, 2019).
8 See https://phishingquiz.withgoogle.com/.
9 See Risk Management Practice Guides, (last visited Aug. 8, 2019); Accellis Technology Group, Cybersecurity Policy Handbook (2016); WILMIC, Law Practice Toolkit.
10 See the sources cited at note 9, supra.
11 Shattuck, supra note 6.
12 Id.
13 Pegeen Turner, Backups—The Rule of Three, Law Technology Today (Dec. 22, 2014).
14 IT disaster recovery plan template. An IT disaster recovery plan is available at the U.S. Department of Homeland Security’s official website, Ready.gov: www.ready.gov/business/implementation/IT.
15Christopher C. Shattuck, Once Upon a Cybercrime: Are You Covered?, Wis. Law., July 2019.
16See id. “In partnership with M3 Insurance, members can obtain greater protection with cyber security, option bond or crime policy, and expanded bond coverage.”