Left to right: Peter Abreu CIO and Jonathan Cohen, partner and general counsel Shutts & Bowen (courtesy photo)
When the WannaCry computer ransomware virus attacked Shutts & Bowen last week at 2:30 in the morning, Shutts’ cybersecurity technology stopped it before it got in or held any information hostage.
The technology Shutts used to protect itself is part of a comprehensive cybersecurity plan the firm put into place over a year ago to allay client fears about the confidentiality of their records.
WannaCry is only one of the many different forms of cyberattack that Shutts said it and other firms fend off nearly every day. Shutts’ techonology staff said spear phishing attacks—where hackers send an email that pretends to be from someone else in hopes of getting someone to click—occur almost daily. But the technology now in place almost always quarantines such items, which could contain malicious attachments or dangerous links. Shutts said it has put other measures into place as well.
“We really take seriously our obligation to our clients to protect the confidentiality of the information provided to us,” said Bowman Brown, chairman of Shutts & Bowen’s executive committee. “We’re at the leading edge of the effort.”
When hackers started moving their targets from corporations to law firms several years ago, hacking mostly targeted potentially valuable information related to deals and transactions. But that kind of hacking requires a great degree of skill, so hackers have spread their nets much wider to target a larger audience and boost profits, said Peter M. Abreu, Shutts’ chief information officer who oversees all firm technology.
“We’re seeing a steady increase in phishing campaigns and ransomware campaigns because the goal is to affect as many endpoints as possible,” Abreu said. “We’ve seen a steady increase in those certainly over the last few years.”
Cybersecurity is an issue law firms need to address because a significant security breech could spell disaster for a firm whose clients expect confidentiality, said Jonathan Cohen, a Shutts partner and its general counsel. And cybersecurity isn’t only about protecting the information belonging to a firm’s own clients, he said. Measures need to be taken to also protect the confidential information provided by a client’s opponent during discovery.
“Every lawyer has a duty to become familiarized with technology and take reasonable steps to protect the client,” Cohen said. “We do all these things to protect us, but they’re also defensive to us because we can say we took steps.”
Indeed, security measures should be in place to protect more than information. They also can shield a firm from liability should a breech still occur.
Last year, Shutts hired a full-time cybersecurity expert and joined the Legal Services Information Sharing and Analysis Organization, or LS-ISAO, which shares information about cyber threats among member law firms. Abreu said the organization’s timely information sharing has been very useful.
The firm also hired a cybersecurity consulting company to carry out a cyberattack on the firm to demonstrate its vulnerabilities. At various firm offices, the company dropped USB drives with enticing labels such as “associates salaries” and “payroll.” But the USBs held a program that when plugged into the computer would alert the consultant that it had infected the system.
The company also conducted mock spear phishing attacks. Without employees knowing what was afoot, the consulting firm sent an email purporting to be from a managing partner to a specific person in payroll requesting a list of all the firm’s W2s. W2s can be a target for hackers because they carry employee social security numbers.
While no one fell for the “dropped” USBs (employees turned them in), the W2 email almost worked, and a few click-on-the-link mock virus attacks got through. The firm later used the findings of the mock attack in firmwide employee training sessions.
Shutts has conducted new-hire cybersecurity training for years, but now it says it provides annual companywide training on cybersecurity issues. The training reminds employees to use a unique password for work and to check suspicious emails to ensure the address matches exactly the address of the person supposedly sending it.
Other cybersecurity actions the firm instituted:
• Multiple-step oral communication and verification of details of wire transfers.
• An overnight clean desk policy so a passerby can’t read or capture information with a phone camera.
• Computers that lock and require a password after a user is away for a certain amount of time.
• Occasional mock attacks to keep employees on the lookout.
• A 24/7 alert line where a suspicious email can be reported for investigation.
• Hired company to monitor the “dark web,” a part of the world wide web that requires special software to access.
• System logins that are different from a more public email address.
• Limit user access to files so if one computer is compromised, the problem doesn’t easily spread.
Copyright Daily Business Review. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.