Do you believe either of these myths?
Myth 1: Our law firm is too small to hack. Hackers only go after big companies.
Myth 2: Firms only get hacked when they are specifically targeted
Believing either of those myths can be costly or even deadly to your law firm.
Hackers landed in your backyard in early December of last year when Mecklenburg County’s system was compromised after an employee accidently opened a phishing email – a message that appeared to come from a trusted or known source. Instead, a phishing email may contain a malicious link, file or attachment. Mecklenburg County officials believe the criminal then gained unauthorized access to the county government’s system using the stolen log-in credentials. The county refused to pay the $23,000 ransom for an encryption key that would release the county’s files, but it took several weeks to get all the hacked systems back online.
What Can Your Law Firm Learn From This Hacking?
Myth # 1: “Hackers only go after big companies.” Wrong. Mecklenburg County is not Target. It’s not Equifax. It’s definitely not Bank of America. It’s just a county government. Right here in our neighborhood. If you believe you’re too small to get hacked, think again.
Myth # 2: “Only companies that are specifically targeted get hacked.”
The hacker that nailed Mecklenburg County was just throwing out bait to see who would bite.
County manager Dena Diorio told The News & Observer she doesn’t think the county was targeted specifically, but rather was part of a wide net cast by hackers.
“I don’t think we were targeted,” she said. “I don’t think we were at fault. There have been many, many institutions that have been breached. I think we do everything we can to keep our firewall secure.”
Apparently “everything we can” was not enough.
The truth is they could have done a lot more. They could have completely protected their systems from getting swept up in this net. And it would have cost them less than the $23,000 the hackers are demanding.
Is Your IT Provider Providing Security?
People have a false sense of security because they have an IT guy, or they outsource to an IT provider who says that this stuff is covered. The reality is they never know until they do a security risk assessment to know where their gaps and vulnerabilities are, so they can focus on them what technologies they need to add to their infrastructure and patch holes. I suggest law firms do a self-assessment analysis that looks at every element of the business process, security controls all the way up to the information systems.
Setting Up Your Cybersecurity
The questions being asked about the Mecklenburg County hacking are the same questions you should be asking about your firm’s system.
Here are some things to consider when setting up your cybersecurity or reviewing that you currently have in place.
A solution to complement your existing security systems (including firewalls, antivirus, proxy server, antispam, cloud filtering).
- A solution that will block all untrusted executable.
- A solution that doesn’t require large amounts of processor, network bandwidth, or memory.A solution that provides insight over existing executables on the network environment.
- A solution that ensures there are no unauthorized programs running or with the potential to run.
- A solution that provides a full audit trail of executable programs, the libraries called, and the security account that ran them.
- A solution that cannot be bypassed by staff, administrators, junior IT staff or consultants.
Finally, the ideal cybersecurity plan for small law firm should include a solution that stops all zero-day malware and ransomware from writing to the hard disk drive. If the malware cannot drop its payload, it cannot infect the endpoint. Craig A. Petronella