The rapid development of the Dark Web and the adoption of new operational modes in the legal services industry, such as working at home, pose substantial new threats to many law firms that might have previously assumed, correctly or not, that they were "immune" from hacking and ransomware.
There are several basic steps that any law firm, or any size and anywhere, can take to reduce the risks.
I attended a great one-hour webinar today produced by IconicIT, an IT security firm that specializes in small and mid-sized businesses, including law firms. We recommend IconicIT because of their experience and insights into the special issues facing small and mid-sized law firms.
The information they delivered was so timely and so important that I went immediately to our blog to write this posting.
Here are some of the main points:
- Information theft from IT systems has become a commodity business. No matter how small your firm is, or where you are located, you should assume that you are a target. Lists of supposedly secure identifying information such as user names, e-mail addresses, passwords, and credit card numbers can be purchased on the Dark Web for only a few dollars -- one example was less than $20.00.
- Assume that your information has already been compromised. A domain monitoring service therefore is well worth the price, even for a small law firm or solo practice.
- Phishing is getting much more sophisticated and any e-mail that asks for personal or financial information should be treated with suspicion. One of the easiest ways to do this, although still not 100% effective, is to hover the cursor over the displayed link to reveal the sender's true address.
There were seven very interesting points about how to avoid being compromised by e-mail. We recommend that every law firm include these in the standard operating procedures for everyone in the firm, whether they work at home, at the office, or somewhere else:
- Watch for overly generic content and greetings, like "Dear valued customer" or "Dear Sir/Madam"
- Look for urgency or demanding actions, such as "We have your browser history. Pay now or we tell your boss."
- Carefully check all links. Move the cursor over the link and see if the destination matches where the e-mail suggests that you will be directed.
- Notice misspellings, incorrect grammar, and odd phrasing. This might be an attempt to bypass spam filters.
- Check for secure websites. Any webpage where you enter personal information should have a URL with https:// . The s stands for secure.
- Don't click on attachments right away. Make sure that your e-mail software or security software has scanned them first.