The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/80353
of economic espionage, attackers will use every available means to obtain information, including targeted manipulation of employees. While law firm IT departments adopt technical security protections (security controls), attorneys and staff remain vulnerable targets. In fact, without appropriate training, virtually every person working at a firm represents a potential conduit for data theft. Old Problem, New Targeted Attacks Social engineering — manipulating people into disclosing information or performing tasks — does not represent a new type of threat. Indeed one of the most famous hackers, Kevin Mitnick, used social engineering extensively in the 1980s and '90s to infiltrate a number of high-security organizations before his arrest in 1995. Yet, following the extensive news coverage of his arrest and conviction, few corporations or law firms implemented formal security training programs. As a result, many people who use technology today remain ill-equipped to deal with these attacks. The attacks themselves, on the other hand, have evolved to make use of new technologies, as well as the wealth of online information that can be found on potential targets. In 2011, well-known security company RSA fell victim to a targeted spear- phishing attack, where an employee opened a malicious Excel spreadsheet that quietly introduced malware into the environment. The attackers had crafted the email message to look as if it were from a colleague at RSA and specifically targeted two small groups within the company. By including detailed contextual information (e.g., familiar people or current topics of conversation within the company), attackers gain an air of credibility that untrained targets would never think to question. Attorneys make especially good targets for spear-phishing attacks due to the wealth of information readily available about them. Nearly every state bar publishes a list of active members, making it a trivial matter to gather biographical information about any practicing lawyer. In addition to data accessible through the Web and social networking sites, details about the type of work an attorney performs will often be available as a matter of public record. Using these different sources, an attacker could easily craft a very credible story to induce the recipient to click a link or open an attachment within an email message. In addition, with the pressure of time-based billing, attorneys may overlook an unrecognized sender if the body of the email message seems legitimate. There is no easy solution to this problem, but a combination of good technical controls and appropriate education will alert attorneys to potential dangers and reduce the chances of a successful attack. Empowering or Endangering? Social engineering attacks represent only one of several threats that should concern law firms. The so-called "consumerization" of IT signifies a growing trend in which new technology emerges first in the consumer market and then spreads into the enterprise. Attorneys who adopt emerging technologies at home may use them as a means to increase productivity and serve clients in innovative ways. However, bringing noncentrally managed technologies into a law firm can introduce security risks for both the firm and its clients' data. Without IT involvement, lawyers may be unaware of how to securely access firm resources and may fail to implement important security features, such as encryption or patch management. Educating lawyers about these dangers will help the firm manage this risk and increase awareness about the need for IT involvement in technology adoption. And such training is clearly needed. A 2011 IDC/Unisys survey uncovered a substantial disconnect between IT departments and the people they support with regard to the use of personally owned smartphones for work purposes. Employees in 69 percent of the companies surveyed reported using smartphones, but only 34 percent of the IT departments surveyed were aware of that use. This implies that at least half of those using mobile technology in the workplace do so without IT support. That same survey concluded that while employees "are intimately familiar and facile with technology, they have little understanding of the security risks, management issues, and policy and governance implications" of operating unsupported technology in the workplace. It is unreasonable to expect lawyers to reach out to IT unless they have received training on the potentials risk to the firm. In the absence of such coordination, unmanaged mobile devices will increase the likelihood of an unauthorized disclosure due to a lost or infected device. Don't Forget About Staff Staff often have access to much of the confidential information clients share with their lawyers. Therefore, they must also be trained to understand and defend against information security threats. Because of how closely some staff work with the attorneys they support, these non-IT personnel may in fact be in the best position to alert attorneys to security threats or provide ongoing training. In terms of both logistics and cost, firms may also be able to provide more thorough training for staff than is feasible to extend to all lawyers. Topics to Cover The selection of topics can be the hardest part of designing a security training program, and this is certainly true within law firms. There are many points worth making and inevitably not enough time to go through them all. Since an effective security training program requires ongoing education, no single training session should attempt to cover everything. Instead, focus on the areas of greatest risk initially, and cover lesser risks through ongoing programs. Peer to Peer 55