With cyber threats and their respective defenses evolving at an ever-quickening pace, ongoing and frequent cybersecurity training is a must for today’s law firms. With some of the recent major cybersecurity events in mind, Sharon and John offer practical examples and training tips for improving employees’ cyber threat awareness and preventing an attack on your firm.
Special thanks to our sponsors CaseFleet and PInow.
Intro: Welcome to Digital Detectives. Reports from the battlefront. We’ll discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches. Not theory but practical information that you can use in your law practice right here on the Legal Talk Network.
Sharon Nelson: Welcome to the 128th edition of Digital Detectives. We’re glad to have you with us. I’m Sharon Nelson. President of Sensei Enterprises, a digital forensics, cybersecurity and information technology firm in Fairfax Virginia.
John Simek: And I’m John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives, our topic is Top 10 Tips: Effective Cybersecurity Awareness Training for Law Firm Employees.
Sharon Nelson: Before we get started, I’d like to thank our sponsors PInow.com and CaseFleet.
John Simek: Today, Sharon and I are going it alone to talk about a subject which is near and dear to our hearts, cybersecurity awareness training for law firm employees. We’ve been lecturing on the subject for many years but has a new meaning in light of recent cybersecurity events. So what do you say we start it off, Sharon?
Sharon Nelson: Yeah. Well, let’s start. It’s not really 10 tips, it’s more like about 50 compressed into blocks of 10 but that’s all right. We’re trying to give you a little bonus here.
John Simek: 50, that’s my first page.
Sharon Nelson: Let’s start with how important cybersecurity awareness training is for law firms and how to do it right. John’s going to give you some more steps later, but I think one of the most significant statistics is that human beings are somehow involved in the success of 82% of successful attacks. They tend to have crummy passwords, they reuse and share passwords, they click on links or attachments without thinking, they get emails which seem improbable and yet respond to them, they steal your data and take it to their next job, and the list just goes on and on.
In a work from home world where we are mostly still where law firm employees are connecting remotely at least part of the time, training them about security is just more important. John’s going to talk more about the specifics of that. We used to say that you should do this training once a year but as things are moving fast, move faster and faster, we think it’s better to do it twice in a year.
The employee seemed to need reiterative training. They simply forget stuff and the threats and the defenses keep changing too, so it really is hard to keep up. And I guess I would advise not to skimp on using in-house IT to do the training for budget reasons, they’re really not training professionals and they don’t carry the big bat needed to hit the lessons home. If you’re going to hire somebody to do it, which is what most people now do, get some referrals from your friends.
One thing we noted recently is that a very large company that called us to do cybersecurity awareness training because they hired a big gun firm and they were so boring that people didn’t pay any attention. So, they call us because they heard we are colorful. So bear in mind that good presenters have to be good entertainers as well as good teachers. And if you’re worried about cost, well, you can pay a lot. We’ve heard tens of thousands of dollars and it’s crazy and we’ve heard a number of hours. Our one-hour training sessions are either $500 or $1,000 depending on the customization involved. Pretty much the small law firms can afford that. Personally, we recommend it to go for just an hour because after that, they do tend to numb. Their brains go numb and you don’t need that.
Training is definitely better live but it is not likely the predominant way of the future. Most law firms are now having virtual training and I see that is continuing at least in hybrid format, maybe have somebody on-site and remote as well. Make sure you track the attendance and ask those who are giving the training to give you a recording if some employees can’t make it which always seems to happen. John, I think you’re up at bat next.
John Simek: I want to talk a little bit about phishing and ransomware. You really can’t go a single week without hearing about ransomware in the news, whether it’s about a new victim, some ransomware gang that’s going dark or some new variant that’s seeing the wild. I mean, the hits just keep on coming. Wouldn’t you say that, Sharon?
Sharon Nelson: Absolutely.
John Simek: Not every day.
Sharon Nelson: It’s blinding how many of them there are.
John Simek: Yep, but I’m going to start with ransomware just because it’s been so hot in the news and it seems to be a real sexy topic for everybody but it really has evolved. In the early days, early days according to technology, which is what, two years ago, Sharon, maybe three years ago. It basically was just a way to encrypt your data and then hold you hostage until you pay it a ransom in order to get the decryption key to get access to your information back.
Well, that’s since evolved to what Sharon, I call ransomware 2.0. That’s not an official industry term but the evolution of it has really become much, much more targeted and the tactics have changed because the cybercriminals, they’re pretty smart, they’re not stupid and what they realized is that a lot of the victims started to really improve their backup mechanisms and they weren’t paying the ransoms anymore, so they were just restoring from their backups, which you certainly should continue to do but what happened was that the money well dried up and so now, the cybercriminals go in, “Oh, wait a minute, let’s access their network and before we encrypt the data, let’s steal it first. Let’s make a copy of it and then we’ll go and encrypt it and if we’re lucky and they don’t have good backups, they’ll pay us their first ransom, but in either event, we have that second option to extort them a second time and ask for that second ransom and we’re going to threaten to expose that information or sell it or whatever if they don’t pay us that ransom.”
And the one thing that cracks me up all the time and Sharon, we always laugh at this is when the cybercriminals say, “Oh, yeah, you pay us a ransom and we’re going to delete your data.” Yeah, right. We should trust you.
Sharon Nelson: We’ve certainly seen cases where trust was not justified, that’s for sure.
John Simek: That’s right, but they’re actually making a heck of a lot more money now as a result of that, but because of that, because of the ransomware and the evolution of it, they’re actually targeting more. They’re going after victims that are more willing to pay and or they’re actually doing financial analysis, if you will, to adjust the various ransoms so that according to what the victim’s paying ability is. If you’re a very, very large Fortune 100 company, then the number’s going to be big, but if you’re a solo small firm attorney, it may not be too big. It can be a few thousand dollars, 3, 5, 10, whatever because they know that you’re going to be more willing to pay that information.
But a little bit about the stats though of where ransomware is and there was a Forbes article that came out in March of this year where CrowdStrike announced that the average ransomware payouts were exceeding a million dollars and that the security firm BlueVoyant found that 15% of the global samplings of thousands of law firms, they showed signs of compromised networks. So 15% had signs that they were compromised and every single network for all of the law firms that they surveyed were subject to targeted threat attacks.
The law firms actually have this big bullseye on their back. It’s a one-stop shop. So don’t think even though that you’re a small or solo attorney that you’re not going to be subject to potential ransomware attack because you are. The data you have is very valuable. Ransomware has actually evolved into what’s called ransomware as a service now. So you can buy services, groups like Maze or DarkSide or REvil or some people call them Are Evil because they really are evil. The REvil folks have attacked the, you probably remember the law firm, the big boutique law firm in New York that did all the celebrities, the Lady Gaga and all those folks, they were attacked by REvil. That was a Grubman Shire, and I’m going to mispronounce the name, Meiselas & Sacks, I guess, but recently, REvil was in the news by attacking the Cassia, a managed service provider.
There’s a lot of these folks that are out there that have grouped together as gangs, if you will, in order to create these ransomware as a service offerings. But a little bit more on the stats Coveware, which is a company that monitors the stuff, the average ransomware payment is now over $220,000, that’s up over 40% from the fourth quarter of last year. The medium ransomware payment is over $78,000 and that’s up almost 60% from Q4. The average downtime for firms that have been attacked by ransomware is 23 and that’s up 10 days from Q4. But the new trend, as I mentioned before, about the the migration and the growth of ransomware is that there is trying to disrupt the business after the initial attack. And you saw that in the JBS meat packing, the Colonial Pipeline, that whole business disruption, if you can disrupt the business, then that gives great incentive for somebody to go and try to pay that money.
Sharon Nelson: And I guess, John, I should probably say too that we don’t go into this in such depth in the training sessions, but they have to understand who their enemies are and what the firm needs to do and they need to know how they can be a part of that. So it’s training them to recognize signals of phishing emails or ransomware attacks so that they can protect the law firm as well as possible.
John Simek: Right. But just to reiterate, though, the second generation of ransomware and where they’re stealing the data, if you will, or making a copy of it first before they encrypt, that right now, 77% of the ransomware attacks, they include that threat to leak or the stolen data. And so, over three-quarters of the attacks now have that involved and I’m not going to go into all the other Coveware stats and those kinds of things that are out there for because they really are trying to maximize the profits, but I want to talk a little bit about phishing and how phishing is really the entry point for folks to contract this ransomware, but it’s also for the attack into the business email compromises, which I’ll talk about in a little bit.
But the whole point of phishing and we do train on this portion, Sharon, as you know, and teaching folks how to recognize phishing and one of the reasons that we recommend at least twice a year now in doing these kinds of cybersecurity awareness training sessions is because the phishing techniques change, and what we’ve seen and how they go about trying to trick people into clicking on things or opening things that they shouldn’t have but the scary part is that 57% of the respondents in a Proofpoint survey experience some sort of successful phishing attack, so over half of them. 67% of the users didn’t even know what ransomware was or they gave an incorrect response, which is really deadly. If you don’t know, as you mentioned earlier, if you don’t know what that is or what your enemy is, that’s a bad thing for you.
Sharon Nelson: That’s why we try to show them a dozen or so phishing examples in the training so that they can all look at it and say, “Yeah, I got something like that once and I didn’t hit it,” or “Yeah, I clicked on it.”
John Simek: Or be very, very suspicious of it, right? That’s what you should be. But 91% of the attacks, they start with a phishing email and if you do train your employees on phishing simulations, that drops your risk by 30% that studies have shown that. So you can’t get much better than that. What that tells you is that you should continue on a periodic basis to train folks into these phishing simulations.
I’m not a big fan of these campaigns that point and shoot out can things to folks or they make them watch videos. I think having some sort of a, whether it’s pre-recorded or whether it’s some sort of interactive way to really drive home some of the points in addition to some of those automated phishing simulations, I think that’s probably the most effective.
Sharon Nelson: Yeah, I would agree with that and a shorter tip you’ll be happy to hear is about taking your hands off the keyboard because we’re all moving too fast and I think most of us acknowledge that we move too fast when we’re working. We think we’re multitasking and we’re more efficient because we’re doing that, but the experts tell us that just isn’t true. What we are doing is shooting short bursts of attention here and then there, which makes us much more likely to actually make an error. When we ask audiences who has ever sent an email to the wrong person or sent the wrong attachment or forgotten the attachment entirely, almost every hand in the room goes up.
The solution is happily simple in this particular case, get employees in the habit of taking their hands off the keyboard and reviewing who the email is going to. Auto complete as we often say is not your friend. My first two initials SN are the first two initials of my email address. I get tons of misdirected email because it’s a fairly common thing to have a name like Sharon Nelson, so SN would be very common. If there is an attachment, make sure that the attachment to the email is the correct attachment and that you’ve got one at all because obviously we often blank out on that.
And finally, proof the (00:14:07) email so you don’t sound like a fifth grader or make a stupid but significant error like calling somebody by the wrong name or using the wrong date or the wrong time because you’re trying to arrange something. Those are really fast tips that they really do grasp and a lot of folks have told me that they have adopted that take your hands off the keyboard rule and they are thankful for it. John, maybe you can turn us to the nemesis of business email compromise.
John Simek: Business email compromises is really the second step, if you will, of where you need to focus your energies. Ransomware being number one. BEC being number two, but BEC, believe it or not has more financial impact than ransomware does. For those folks that don’t know, business email compromise, BEC is what the FBI has coined that phrase is really financially driven is where you’re trying to get your victim to wire money or to send information that has to do with something financial, like W-2 information or getting the victim or the employee to purchase gift cards and send those and now everything is electronic now, right?
So you get Amazon, electronic Amazon gift cards or another financial thing that they’re after is to change the employee’s direct deposit information or vendor invoices, right? Any sort of wiring instructions, those are all targets for business email compromise. And just to give you a flavor for why this is so important and why you should be so focused on it is there was a 75% rise in the first 3 months of 2020. So we’re going back to the pandemic days, that’s a big increase. But then from April to May of last year, it increased 200% each week. I mean, that’s phenomenal.
To make matters even worse is if your email account is compromised where someone actually has access, let’s say, to your content, so now they’ve got your contact information and they’ve got all your historical information. They know what vendors you’ve been working with. They know, let’s say, what your clients are and what cases you’ve worked on the past.
I mean, we had one of our clients that actually sent me a suspicious email and said, “This doesn’t look right.” It’s somebody that they worked with in the past. It was about three or four years ago and it had to do with a similar matter in a case. So if they have access to that person’s email box, they know what kind of cases and matters you’ve been working on. So they get a little more success when they do that.
The Internet Crime Complaint Center, IC3, which is a division of the FBI, they published the 2020 Internet Crime Report where they identified the amount of fraud and all that stuff that occurs and the Internet Crime Report identified financial fraud exceeding 4$.2 billion for the year and of that $4.2 billion, $1.8 billion was BEC. So I’d have to do the math. I think it’s 40 some percent, little less than 45% of the total fraud is attributable to BEC.
What that means and what we teach as we go through the training is you need to be very, very cognizant of that. Again, just like ransomware, it starts with a phishing email. There might be a conversation going on and then in order to entice you to give up some information on where you’re going to transfer funds. So you want to take us to the next subject, Sharon?
Sharon Nelson: Yeah. Let’s talk about social engineering because there’s all kinds of social engineering by bad guys looking to get into your law firm network, so it’s really important that employees be taught about some examples. For instance, there is phishing by phone, which is sometimes known as vishing with a V because it is voice phishing. And then the bad actors are generally trying to get information, they’re going to ask who pays the bills or wire its funds on behalf of a law firm, you’d be surprised how many people answer those questions. They may ask who the managing partner is or the CEO or CFO, more people who have authorization privileges for payments or wiring funds. Those are the people they want to pretend to be through compromising or spoofing their email or even by use of deep fake audio. And yes, we have seen that in the wild but we don’t have time to tell you the whole story, but we have seen successful deep fake audio used to persuade somebody that they were somebody in a large corporation that was authorized to wire funds.
They might even call to ask who your IT managed service provider is because then they can call pretending to be that provider. They will perhaps research some names there, perhaps through LinkedIn, which is a big help to the bad guys, however, inadvertently. Your employees are much more likely to give their law firm credentials to someone pretending to be from your IT provider using some lame excuse about maybe being in the middle of fending off an attack and needing your ID and passwords right away. So trust me, giving your employees real-life examples and teaching them to be suspicious is a good thing for the security of your data.
John Simek: Before we move on to our next segment. Let’s take a quick commercial break.
What could be more important than knowing the facts of your case inside and out? CaseFleet’s powerful software makes it easy to create a chronology of each case and to track the evidence for each fact. With an intuitive interface, full-text search and built-in document review, CaseFleet makes fact management easy. Sign up for a 14-day free trial at casefleet.com/digitaldetectives and get 10% off your first subscription.
Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one-of-a-kind resource for locating investigators anywhere in the U.S. and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up to date on the latest technology and have extensive experience in many types of investigation including workers’ compensation and surveillance. Find a pre-screened private investigator today. Visit www.PInow.com.
Sharon Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is Top 10 Tips: Effective Cybersecurity Awareness Training for Law Firm Employees. So, what’s up next John?
John Simek: Well, I wanted to just talk a little bit about the whole work from home environment and how it’s impacted cybersecurity and kind of what we can do. We, collectively, owners, as well as employees to practice safe computing and securely communicate more with the office. But to start off with though, the whole work from home world and I think it’s going to continue on, it’s pretty much indicated for the whole hybrid world, it’s weaker security. I mean, let’s face it. People are using consumer grade equipment, they’re not up to date with patches on their home machines. They’re using consumer-grade routers and surveys have already shown that only 35% of users had even changed the default router password on their home networks, their home Wi-Fis and the cyber criminals know this too, so they know that everyone’s working from home, they know that people are using an RDP. They’re using remote desktop protocol, they use VPNs and so, they’re attacking those.
They know that only 35% have changed default router passwords, so they’re attacking our typical vendors for home routers. So what can you do about that? Well, you want to make sure that you’re communicating in a secure fashion back to your law firm. Anything that uses an encrypted connection, virtual private network is a good choice. Certainly make sure it’s patched, make sure it’s configured correctly. Just because you use a VPN doesn’t mean you’re totally secure. So again, make sure it’s patched and configured and anything that uses any type of encrypted connection out there. Don’t allow any of your family members to use any equipment that you’re processing client data on. Even if you have a law firm-issued laptop, that’s certainly the best approach. It’s controlled hopefully by essentially managed by the firm but if you do have to use your home networks, your home computers, don’t let the family members use that as well, and then, finally, I would say that get as many services as you can and move to the cloud. That way you don’t even have to connect up to your law firm’s network, right? And we’ve seen more and more of that, haven’t we, Sharon?
Sharon Nelson: A lot and it’s been very effective. So, let’s move to sharing and reusing credentials because sharing your law firm ID and password is just plain stupid, but more than 50% of people do it. Often, partners might share their credentials with paralegals or secretaries who monitor emails. There seemed to be a million reasons why people share their credentials but none of them make any darn sense. Sharing credentials creates an enormous security threat (00:23:16) from experts helps to resolve the problem.
Reusing passwords is as incredibly common as it is incredibly stupid. Once a bad guy has your password from one place and the databases of known compromised passwords makes that absurdly easy, now they’ll try that password in as many places as possible and we are always careful to stress that the law firm ID and password should be regarded as particularly sacred and never ever reused anywhere. When we do training in person and we talk on these subjects, we see nervous glances exchanged. So hopefully those folks have resolved to go back to their office and fix this gaping security hole.
Recently, we’ve been having some headway in John’s next tip about getting folks to accept MFA. So take that away, John.
John Simek: MFA or multi-factor authentication, hello? You’ve probably heard the term two-factor authentication or 2FA. MFA is more global, it’s more encompassing. More and more vendors now are forcing you to turn on MFA but our message is always, always, always configure MFA, use MFA every place that it’s available whether it’s for your banking account, your doctor’s office, your lab results, any sort of scheduling whether it’s your Yelp account, Facebook, social media, any of those and certainly any law firm access should have MFA. Studies have shown that having multi-factor authentication enabled will stop 99.9% of credential-based account takeovers. Microsoft’s own studies have proven that. Microsoft believes that MFA is so important that it’s now included free with all of their subscriptions. You don’t have to pay for it, but it’s not turned on and configured.
So you probably need to get some help from your IT support folks or whatever to turn that on. Now, having said that, if you do have a choice for MFA implementations and there are several ways, most of them, the common is SMS text messages. That’s better, that’s the weakest of the MFA, but it’s better than not having MFA at all.
Next up the security ladder is using authentication app. That’s an app that changes and has that code every 30 seconds that you have to punch in. That’s better than a text message. Even better than that is receiving push notifications in that application. So, in other words, when you go to log on, you’ll get a notification to your authentication app and you just hit the button.
Then there’s tokens. It’s the fourth one. And that’s like a YubiKey, but also for passwords, make sure you’re using a password manager so we’re not reusing passwords like Sharon talked about and certainly finally, don’t ever, ever let a browser remember those passwords even though you’re going to get prompted multiple times.
Sharon Nelson: Absolutely splendid advice. My next tip is a jumble. I’m going to talk about drive by infections, baiting, piggybacking, and tailgating. That all sounds quite mysterious too many people. There is so much more.
Drive-by infections are where you visit a website that automatically downloads malware invisibly while you are on the site. The lesson there for employees is not to go places you don’t know, named brands are much more reliable. They don’t have that stuff on their sites. We talked about baiting where flash drives are left on airplanes, public park benches or conferences. You pick up a flash drive, curious about what’s on it or maybe wanting to return it to its owner and bada bing you inadvertently download a malicious payload when you stick the drive in your laptop.
We talked too about physical security. Piggybacking is when someone strikes up a conversation with you as you enter the building or office with a ProxCard key, keypad or whatever form of entry and they seem to have authority to be with you so they get in. Even if you’re being watched by a security in some form of managed security, related is tailgating where someone just as a for instance, pretends to be talking on their phone until you have had opened the door successfully as previously described in any manner that you need to use and then they pretend to hang up their call and they grab the open door. Not liking confrontation, we tend to love them in with us. I could go on and on but of course, we’re almost out of time. So what’s our last topic, John?
John Simek: I’ll talk about some every day attacks and certainly some successful phishing because phishing is the number one way and I’m not going to run through them all but some recent surveys have indicated that some of the more recently used themes are, and it builds upon the whole pandemic, the coronavirus situation that were in. So you’ll get these themes that have to deal with Microsoft Teams request, and that’s not unusual because people are doing Teams and Office 365 password expiration. We have a lot of cloud-based users that are out there.
The one that really gets people’s blood going I guess is something about there’s an alert about the large number of files that were deleted from OneDrive. That would just scare the bejesus out of most folks, but I think one of the more effective themes is anything that has to do with deliveries, right? If we’re working from home and a lot of folks are still working from home, whether it’s a UPS, FedEx or an Amazon delivery, notice, you’re going to be more likely than not to click on something like that. Right?
Sharon Nelson: For sure.
John Simek: But one of the surveys that I saw indicated in Q4 of 2020, the five most successful subject lines were password check required immediately, touch base on meeting next week, vacation policy update, COVID-19 remote work policy update, that probably gets a lot of hits I’m sure, and then as people are I’m sure working from home in a hybrid situation that important dress code changes, right? That’s another subject line that’s been very effective and I think that’s pretty much all I have, Sharon.
We have a boatload that we could cover probably for another two-three hours, but we’re not going to do that to these people.
Sharon Nelson: No, we’re not. Let’s call it quits while we’re ahead.
John Simek: Well, that does it for this edition of Digital Detectives and remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com or in Apple Podcast and if you enjoyed our podcast, please rate us on Apple Podcast.
Sharon Nelson: You can find out more about Sensei’s digital forensics, technology and cybersecurity services at senseient.com. We’ll see you next time on Digital Detectives.
Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.
Podcast transcription by Tech-Synergy.com