A small, North Carolina company that works with law firms was recently hit twice by Cryptolocker ransomware that interfered with its website for six days until it paid the ransom.
With the buzz since ransomware WannaCry hit several countries and big companies like FedEx, we asked our cyber-security contributing editor Craig Petronella of Petronella Technology Group if small law firms are at risk or if this another Y2K boogey man.
Petronella: It’s very likely small law firms will get hit if they are just buying off-the-shelf, anti-virus firewall protection. These hackers and ransomware writers write software to scan networks for low hanging fruit to extort money from. Among the law firms targeted are the ones that have client’s medical records, personal injury firms with data about their clients, firms that handle valuable intellectual property and firms that transfer large sums of money like real estate attorneys.
AALM: How does a firm’s system get infected by a ransomware?
Petronella: The way they get into small law firms is most often by email or an infected or malicious link that somebody clicks on. Anyone on the network that clicks on one of those infected links may introduce that malware onto the network without any alarms going off. It sets off a timer and sometime in the future, some random day and time, they may get a lock screen saying everything is encrypted, pay us money to get it back.
Most small law firms don’t have strong enough data back-up or disaster recovery or business continuity, so they have no choice but to pay.
AALM: If a law firm is backing up all its data, is that back-up vulnerable to a ransomware attack?
Petronella: Yes, a lot of small firms use USB storage that is left connected to their computers or Dropbox to back up data. These are not secure systems and the ransomware can attack them.
AALM: If a law firm is outsourcing its IT, how can it be certain that their provider has installed the necessary safeguards?
Petronella: People have a false sense of security because they have an IT guy or they outsource to an IT provider who says that this stuff is covered. The reality is they never know until they do a security risk assessment to know where their gaps and vulnerabilities are so they can focus on them what technologies they need to add to their infrastructure and patch holes. I suggest the firm do a self-assessment analysis that looks at every element of the business process, security controls all the way up to the information systems. We have a website where firms can do the assessments themselves for free: www.hasmyfirmbeenhacked.com
AALM: Didn’t Windows distribute a patch to prevent another ransomware attack?
Petronella: They did, however, I don’t recommend a layman try to do it, especially where there is a network involved or multiple programs. A patch can break a system. The operating system has to be patched and so does every single program on the computer.
AALM: What kind of expenses are small firms looking at the plug their security gaps?
Petronella: The costs range from $299 a month to $2,500 a month. It depends on how much enhanced security and patching the law firm’s network needs and how much of the ongoing support we provide. There are inexpensive measures firms can take such as keystroke encryption and some other patented computer security technology.
AALM: Why have small and solo law firms been slow to install cybersecurity software?
Petronella: I spoke with Camille Stell of Lawyers Mutual who offer now cybersecurity insurance. She told me solos and small firms don’t get sufficient cybersecurity because they think an attack won’t happen to them, they haven’t gotten around it or they say it’s not a good use of money.
AALM: Are viruses like WannaCry oneoffs or is this is trend?
Petronella: In an interview I did recently with local NBC affiliate WNCN and in recent webinars, I’ve said just because you didn’t get hit by WannaCry or Wanna- Cry 2.0 doesn’t mean you are safe from a future attack. The statistics are through the roof that show that ransomware weapons getting much more sophisticated. The threat is real.