As the novel coronavirus pandemic has continued to unfold across the U.S., law firm chief information officers are being confronted by a new reality where remote working is par for the course—and cyberthreats are knocking directly at their attorneys’ front door. Last week, BBC News reported that hackers are taking advantage of the health scare to attach malware to faux reference materials and other deceptively legitimate resources that people may be seeking out.
For law firm CIOs, the immediate threat isn’t to the network infrastructure or cybersecurity mechanisms they have in place, but to the partners, attorneys and other human resources who, for the time being, are no longer working under the same roof. Some have already witnessed attempts by hackers to capitalize on the pandemic firsthand.
“Now is a time where people need to be even more vigilant. We’ve seen phishes noting ‘COVID-19 Update, Open Immediately’ or ‘click here to see updates about coronavirus’; that type of thing,” said Jim McKenna, CIO at Fenwick & West.
His isn’t the only firm to notice an uptick in phishing activity. Neeraj Rajpal, CIO at Stroock & Stroock & Lavan, said that some of the suspicious activity he’s noticed isn’t even centered around health-related news. Rather, hackers are aware that a wide number of firm employees are working from home, without peers or CIOs around to remind them that a seemingly friendly email could be a trap designed to lure them into forfeiting money or personal information.
In prepping for the impact that COVID-19 would have on business operations, Rajpal noted that the firm’s cybersecurity infrastructure was already in strong position. Instead, their efforts have been directed toward fortifying the human element of the equation, whether it’s through reminder emails or encouraging people to revisit previously issued training materials.
“We literally sent an email out this morning just reminding people that in this climate you should be extra careful, so we’re just doing an extra bit so to speak,” Rajpal said.
Part of the challenge is that not all emails bearing “coronavirus” or “COVID-19″ in the subject line are a threat. Richard Rosensweig, a director in the litigation group at Goulston & Storrs, indicated that he’d been averaging between 30 to 40 emails a day with updates about the coronavirus, many sent from courts, vendors and clients.
As a precaution against hackers attempting to take advantage of the confusion, the firm has instituted a wire-fraud prevention policy that requires employees to rely solely on prevetted telephone numbers to confirm instructions rather than emails or text messages. ”It’s very easy to open up an email and just respond to it when you are not in the office and you are not surrounded by the people that you are normally working with,” Rosensweig said.
But in the absence of peers and co-workers, firms may have to be more creative about how they remind employees to think carefully about the email in their inboxes. Over at Day Pitney, for example, CIO Kermit Wallace said the only “technical” security change the firm has made in response to the coronavirus is to update the color of the external email notification banner found at the bottom of communications originating from someone outside the practice. The brighter hue is intended to serve as a reminder of the potential danger lurking just around the corner of every unfamiliar email.
Still, it’s not just email scams that firms have to be worried about. For instance, some attorneys may be visiting unofficial Facebook groups to find out more information about school closings or activity cancellations, and Wallace pointed out that it’s easy for a bad actor to slip an infected link into those forums. ”We’ve also reminded people that if they have signed up for notifications to just make sure it’s coming from where you think it’s coming from,” Wallace said.
It seems likely that attorneys at every firm should expect the reminders will keep rolling in as the coronavirus pandemic continues to unfold, especially if law offices must continue operating remotely. “COVID-19 presents sort of an ideal atmosphere for [bad actors] to pray on law firms because our work patterns are disrupted,” said Rosensweig.