What Law Firms Need to Know About the Ransomware Cyberattacks

 

On Friday, hundreds of thousands of computers across the globe were taken hostage by a type of attack known as “ransomware.”  In this latest attack, cybercriminals threatened to destroy all data on infected machines unless an online payment was made.

Here’s the most critical takeaway for you to know: These attacks were entirely preventable.

Microsoft issued a patch for the exploited vulnerability nearly two months before this episode occurred.  Had everyone played by the rules, the “WannaCrypt attack” as it is known, would have been a non-issue.

Imagine if a category 5 hurricane made landfall in an area where none of the homeowners had insurance or took any precautions. This situation is unthinkable, but it is analogous to what happened with this cyberattack. Sloppy update policies, out-of-date systems (Windows XP), and pirated Windows software created an environment for a global cybersecurity nightmare.

As Microsoft put it, “This attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers. The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems.”

If you’re not taking the following steps, you are putting yourself in harm’s way. Follow these tactics to best protect yourself from similar attacks:

1) Make sure your computers are on the latest versions of Windows or Mac OS with the most recent security updates applied.  As soon as a security update is released, install it IMMEDIATELY.

If you’re using legacy software that necessitates the use of older operating systems or computers, you’re putting your entire firm at risk.  Law firms running Time Matters, Amicus Attorney, PC Law, older versions of QuickBooks, or other legacy systems may be especially vulnerable. Fast-track your decision-making to either upgrade to newer versions of that software or to switch to a different vendor.

The same advice goes for smartphones, your Nest thermostat, Visio smart TV, or anything else you have attached to a computer network.  Keep everything up-to-date with the latest versions.  Do not invest in a smart home unless you’re willing to do what it takes to protect your network.

2) Backup all your data to a machine not connected to your network. Ideally, use a trusted offsite cloud provider.  Google Drive, Rocket Matter, Dropbox, and Box are all great options for law firms for document storage.

3) Never log into sensitive websites from a link in an email.  I don’t care how legitimate the email or linked webpage looks. Just do not click on the link.  Doing so can activate malware or seduce you into forking your username and password over to bad actors.  The only exception is if you get the go ahead from someone you trust that they’ve sent you an email and it’s safe to click on the link.

4) Use good passwords and change them every 90 days.  We all need to do better here, and I recognize that changing passwords frequently is a pain.  But it’s critical. Use password assistants like 1Password or LastPass to help you here.

5) Turn on two-factor authentication for your web apps.  What two-factor does is send a code to a trusted account on record (this could be a smartphone or via an app like Duo or Google), making it nearly impossible for a malicious actor to gain access to your account.

6) Consider getting involved in policy discussions about cybersecurity after you get your ducks in a row security-wise   If you are so inclined, you might want to consider taking your persuasion skills into the public arena to advocate against government stockpiling of vulnerabilities.

This attack was stockpiled by and stolen from the National Security Agency, or NSA, in the United States. According to Microsoft, “We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world.”

Bottom line: We all have a role to play in our interconnected world. Cybersecurity is the responsibility of everyone—technology companies, governments, and increasingly so, consumers.