It’s not often that you save a life.
About a year ago, I was in Los Angeles with one of my Digital Silence partners. We were in the CEO’s office of a mid-sized manufacturing company. We were there because the company had just suffered a ransomware attack. Computerized production lines were down, customer order and invoicing records were inaccessible; the business was sitting dead in the water.
We were in that office with the CEO and the company’s IT director. We had just arrived, having been called in to assist with both short term remediation as well as longer term security enhancements. The CEO explained to us that the company’s data and systems were fully backed up, which should make the remediation manageable. When we asked how long it would take to be operational from backup, the CEO looked across his desk to the IT director. The IT director said “about five days.”
The CEO paused for a second, and then launched himself across the desk at the IT director, hands aimed directly for the IT director’s throat. For a big man, the CEO was remarkably agile. Olympic-level agile. My partner, a veteran with 11 years in the airborne infantry, was quicker than me. He took a step and managed to pluck the CEO from mid-air, safely depositing him on his back on the desk. By the time we turned around, the IT director was gone; we never saw him again.
Most people’s response to cyberattacks isn’t quite that physical. But the rage and panic that comes from being victimized by cybercriminals is universal and all too common. And this victimization grows more frequent by the day.
Why? Because cybercrime pays. It is a multibillion-dollar industry with an annual growth rate well in excess of 50 percent. And cybercrime is the wolf that sees thousands of innocent, unsuspecting sheep stretching as far as the eye can see.
My goal today: Remove you from the flock.
I get it; security is hard, security is a distraction. I was a partner and trial lawyer in a law firm for almost 30 years, so I know that none of you need one more thing to worry about. But there are two very good reasons for you to pay attention.
First, the vast majority of modern attacks function like COVID-19. They aren’t targeted in advance; COVID didn’t wake up yesterday morning with a list of who it was going to infect. Business email compromise — we call that BEC — and ransomware, the two most prevalent attacks, are almost entirely opportunistic; the attackers are fishing with dynamite. You are never too small, too obscure, or too unimportant to be in the wrong place at the wrong time.
Second, your clients care. Vendors — and we are vendors despite all of our fantasies otherwise — are feeling increasing pressure from clients to rep, warrant, and demonstrate proper information security. This pressure comes both from clients who are themselves looking to improve security, and from a fast-increasing body of laws and regulations mandating vendor due diligence as part of a compliant security posture. Recent supply chain attacks such as SolarWinds and Kaseya are only causing the snowball to roll faster down the hill.
What can you do? I’m going to give you one Big Idea, and Three Significant Steps. Adopt the big idea, follow the three steps, and you are already significantly safer.
The Big Idea
Adopt information security as a core part of your culture. This is actually easier for lawyers to understand than for most others. You already do it in a way, you’ve been doing it since the second day of law school — attorney-client privilege. You may not think about it, but attorney-client privilege is almost an unthinking reflex. That’s good. That’s useful.
So take information security seriously, and wrap it into your definition of privilege. Do this for EVERYONE, from the front desk staff to the most senior partner. And I mean EVERYONE: partial participation in information security is like building a house with only two walls; it’s an interesting look, but it doesn’t really get the job done.
The Three Steps
These aren’t the end of your security journey, perhaps the end of the beginning, but embracing these three relatively simple steps will dramatically enhance your security.
First: Long, unique passphrases. Long — I didn’t say “passwords,” I said “passphrases.” Instead of “Mizzou,” how about “MizzouTigersReallyRock.” Length alone significantly increases security.
And unique: no one in your firm should use their firm passphrase ANYWHERE else. Never. Actually, you should have a unique passphrase for every account that matters; your bank, your retirement account, your frequent flyer club — everything you want to protect should have a unique passphrase.
Second: Enable multi factor authentication (MFA) or two-factor authentication (2FA) wherever and whenever you can. MFA and 2FA are functionally the same thing, so I’ll just call it MFA for the sake of brevity. MFA is whatever system on offer that requires you to have something besides your passphrase in order to gain access. A common example is a site that texts a code to your phone. Office365 uses a free Microsoft Authenticator. Yes, it takes a few extra seconds, but the security value is almost beyond belief.
Third: Become Email Paranoid. If I’m not expecting an email with an attachment from you, I’m not opening the attachment without calling you first. Doubly true if I don’t know you. I never, ever, click on a link in an email or text message. EVER. If my “bank” sends me a link, I’ll open a browser window, and log into my bank from there. When PayPal texts me a link to verify a recent payment to somebody I’ve never even heard of, I don’t click that link. I separately log into PayPal to check it out.
These steps can become fairly automatic. They can become part of our legal DNA. Again, think attorney-client privilege, which is part of every legal professional’s DNA. But only if you take them seriously, implement them with EVERYONE, and train, train, train.
We don’t like tackling clients, and I’m not sure that’s within our E&O coverage. So please, please, save us that trauma. Get going today.
Dan Nelson is the co-founder and chief operating officer of Digital Silence, which provides information security research and consulting services to law firms and other businesses nationwide. Before launching Digital Silence, Dan was a trial attorney at Armstrong Teasdale, where he also co-founded the firm’s privacy and data security practice. He can be reached at firstname.lastname@example.org.