Cyber-Attacks: Is It Really Not If You Will Be Attacked, But When?
By Jim Calloway
In last month’s column “Backing Up, Like Breaking Up, Is Sometimes Hard to Do,” I discussed the challenges of having good backup procedures.
Recently, there were news reports of a Providence, Rhode Island, law firm that was held hostage by ransomware blackmailers for 90 days. Just imagine 90 days without access to any file on the law firm’s network or any of the individual workstations. The blackmailers were demanding $25,000 in ransom paid in bitcoin to restore access. The news reports were about the law firm’s litigation against its insurer for not paying a claim for $700,000 in lost billing as the firm’s 10 lawyers were left unproductive and inefficient. I have no doubt the firm also sustained a significant amount of damage to relationships with many of its clients.
The law firm’s situation marks a change we have seen with the ransomware attacks. Previously the typical ransom demanded was in the hundreds rather than the thousands of dollars. Now when the cyber criminals recognize they may have a victim with deep pockets, the ransom demand will be much larger.
Ransomware is not the only potential threat that might come between you and your law firm data, although it is certainly the most rapidly growing one. Hard drives fail and internet outages, although rare, still do occur. People make mistakes and delete things they didn’t intend to delete. Recently we have had several reminders that weather issues can knock out power, which can render computers and networks inaccessible.
On Monday, May 1, employees of the Oklahoma Bar Association reported to work to learn that while we did have power, the previous power outages caused by straight-line winds reportedly exceeding 80 mph, had temporarily knocked out our internet service, email, phone system and access to files on the network. There are many good reasons for outsourcing more systems, tools and IT resources to the cloud, but doing so renders you more dependent on internet access.
There are always lessons to be learned from such a situation. Some of the unique lessons we learned included: 1) if many people in the same area lose internet service, it impacts your mobile phone service locally as many people attempt to use their phones for data transfers they normally would have done with their computers and 2) you may believe you can do many things with your mobile devices, but if you don’t have working email on your mobile device or VPN access you cannot do many of those things.
There were no long-term negative data consequences for the OBA. Everything was restored by Monday afternoon and we believe nothing was lost. Personally, I was able to rely on my MiFi card which gave me access to many files on Dropbox. Like many of my co-workers, I also took the opportunity to sort through, discard and scan/file some loose paperwork.
But the idea of a 10-lawyer law firm being locked out of all of their files for 90 days is simply horrifying. Hopefully they at least had access to their calendars on their mobile devices. Ninety days is a lot of time for something serious to go wrong.
I recently had the opportunity to hear my podcast teammate, Sharon Nelson, and her husband, John Simek, both of Sensei Enterprises, discuss data security and data disasters. They cite Bruce Schneier, a well-regarded expert on technology security who I have followed for many years, as saying it is unrealistic to assume one can build sufficient IT safeguards to keep evildoers out of your system. A mantra to identify the threats and protect the network has evolved. According to Ms. Nelson, the new framework is “identify, protect, detect, respond and recover.”
NOT IF, BUT WHEN
That idea that all businesses should prepare now to respond to a security breach when it happens, not if it happens, is unsettling. This is critical for all of your business clients as well as your law firm. But, the idea should also provide motivation to take action now.
All businesses need an incident response plan (IRP). A few internet searches will locate some form incident response plans that can be used as guidance. Some are free. Some are available for purchase. It is important to recognize that “filling out the form” will not cover all of the unique and special situations in your law firm or your clients’ businesses. As a result, additional contingencies may need to be addressed in your plan.
It is also important to recognize that all data breaches are not equal. A ransomware attack may cripple your law firm, but your response to this will be totally different than a data breach that appears targeted to a specific client or matter.
The literature says you should form an incident response team to conduct an incident threat analysis before you create your various responses for different scenarios. If you are a solo or small firm lawyer, then you will likely fill the role of the incident response team. But you don’t have to be a cyber-security expert to create this plan. You just have to be able to identify what types of security breaches or other business interruptions could happen. You can seek expert guidance if needed.
Let’s start with a simple scenario that doesn’t require much expertise with technology.
Scenario 1: A Disturbance in the Neighborhood
You arrive for work early one morning and find a roadblock with several law enforcement officers and vehicles and perhaps a news team or two, or you have police tape all around your office. Whether it is a crime scene investigation or an active tense stand-off situation, law enforcement informs you that it could be hours or days before you are allowed back into your office.
What is the plan? It really depends on the law firm and the situation. If you are using cloud-based practice management software and everything has been scanned into digital client files, then the plan is to deploy people where they will have computers and internet access. Maybe some people can work from home or maybe you know a friendly local lawyer with some extra office space. Then the next decision is how and where to forward the office telephones so someone can answer them. Then you have to figure out how staff will communicate. Does everyone have the ability to remotely log into the office email or will you be using a lot of text messages that day?
If you don’t have information deployed in the cloud, have you set up a VPN or other remote access for some or all of the office employees to log in the office computers? Will this work if the computers have not been turned on for the morning?
If you have no way to access any of the office data from outside of the office, then your primary objective will be triage. In that scenario, you need access to your calendar so you can reschedule office appointments and meet court appearances and deadlines. If your mobile devices have your calendar on them, they will become your primary tool. If you have employees who are unable to do anything productive, then they should be sent home with instructions to stay close to their phone to learn when they will be called back into work.
As you can see from this exercise, the value of planning is thinking things through and making preparation during a calm and reflective time rather than in the middle of a frustrating scenario. Setting up your IRP also means that you have accumulated much of the needed information in advance and preserved it in a way that you can access it without access to the physical office. A list of contact information for all clients with active files whether on paper or preserved digitally is very important. Some phone numbers for courthouse staff may be useful. If you don’t recall your passwords, do you have a password manager available via your mobile device or can the password for critical systems like your practice management software be reset by using email on your mobile phone? Do you have an existing answering service that you can forward the phones to in the case of an emergency and what information is needed to accomplish that?
Scenario 2: Ransomware Attack
A computer in your office suddenly displays a graphic indicating that the computer has been encrypted and displays a clock counting down the remaining time you have to pay the ransom or lose your data forever. That countdown will generate incredible stress. Your law firm is effectively dead in the water.
This part of your IRP likely will be developed with input from your IT professional. For example, if one computer has been encrypted with ransomware, you may have a very short amount of time to “save” other computers by physically unplugging them from the network or turning them off quickly. Note that this would be the “hold down the power button method” for emergency shutdown, not the normal method. You can normally accept the risk of corrupting a single open document to keep a workstation in operation.
Paying the ransom is problematic on several levels, but many businesses will decide to do so if the amount is somewhat reasonable. In fact, Sharon Nelson related that she had heard of a firm that has established a purse of bitcoin in advance for just such a scenario. But many law firms will not want to take that action.
In theory, assuming you have appropriate backups and images, here’s how a recovery would take place. The hard drives on computers would be reformatted to destroy all data. A system image recovery disk would then be used on each computer to restore it to a prior point in time. These system image recovery disks must be created in advance using Windows or another third-party tool. Then your data backup can be used to restore any missing data, i.e. documents, billing records, calendar entries, etc.
Again, that is the theory. The reality is that some firms may require or prefer professional assistance. But the Windows recovery tools are designed with the end user in mind. (Of course, this assumes that the firm is using a Windows based system. Some firms are now using Macs, which are less susceptible to ransomware but may still have vulnerabilities.)
Note the difference between a ransomware attack and other types of malware or spyware. Typically, a ransomware attack happens in real time. Someone clicks on something or opens a file and the ransomware is released to start encrypting files. It happens fast. That also means it is likely that a backup that is a few hours old will not contain the infection.
On the other hand, a spyware installation or other type of data breach may have occurred days or months before. Reformatting the hard drive and installing your backup could install a “backup” of the infection. (It is also very possible that your backup provider could scan and kill the malware.) If you honestly believe your system has been breached, it may be worth your time to have a digital forensics expert examine the system to see what has been accessed and give the system a digital cleaning.
Knowing what information was compromised may inform you as to what obligations you may have either under the Oklahoma Security Breach Notification Act or general good business principles. As I read 24 Okla. Stat. 162, notification requirements only attach when an individual’s name has been attached to a social security number, driver’s license (or alternative state ID in lieu of driver’s license) or financial account numbers, credit card numbers and debit card numbers along with a password or access code if applicable. I will leave the question of whether, depending on the information breached, a lawyer’s ethical duty to a client would create a notification duty greater than that required by statute for another day. If you have information covered by HIPAA, it has its own set of breach notification requirements.
CONTACT INFORMATION IS AN IMPORTANT ELEMENT
Larger firms will want to have contact information for various staff members involved with the plan. But all sizes of firms would benefit to have contact information for all staff, including home or mobile phone numbers when available.
You will definitely want to have insurance company contact information as well as copies of your policy. Some might believe that this is a good time to examine just what cyber insurance you have purchased and whether it is enough.
Other contact information that may be needed include your outside IT consultant, a digital forensics consultant, a lawyer with more expertise than your firm regarding data breaches and perhaps even a public relations firm.
Once you have the plan drafted, you need to communicate with any staff who were not involved in the creation that it exists and what their obligations are under the plan. Stress to your staff that they are not official spokespersons for the firm and they should never post about any possible data breach or other office issue on social media.
FOLLOWING THE PLAN
I can assure you that no matter how good your plan, it is likely that things won’t go according to plan. There are several military-based clichés about plans changing when the battle commences. But a data breach or work stoppage of any kind is a frustrating and emotional situation. You will be far better off with a plan to refer to and ready access to the phone numbers of those you might need to call in for reinforcement.
There is a potential additional positive byproduct of all of this work. Your firm may now be in a much better position to advise your business clients about, and assist them with, their IRP.
Mr. Calloway is OBA Management Assistance Program Director. Need a quick answer to a tech problem or help solving a management dilemma? Contact him at 405-416-7008, 1-800-522-8065 or jimC(at)OKbar.org. It's a free member benefit!
Originally published in the Oklahoma Bar Journal -- May 20, 2017 -- Vol. 88, No. 14