Updated: Oct 21, 2022
October is National Cybersecurity Awareness Month. This month, we are pleased to feature an article written by recovering litigator Paul Zimmerman from Invenius Digital Forensics on "email hygiene." While that's a geeky-sounding term, it’s a very important phrase and one that’s critical to implement in your day-to-day work.
One of the single greatest cybersecurity threats to law firms today is ransomware, and the single most common vector—or route—through which ransomware can occupy one of your computers is via an email containing a bogus link or attachment.
Ransomware is its own industry, and much of it is contracted out. You may have heard of “software as a service,” which is where you access and utilize software through an internet web browser rather than having the software reside on your server or your own computer. Well, “ransomware as a service” is real. Ransomware for hire.
The Scary Part (After All, Halloween is Fast Approaching)
According to a recent Forbes article, 43% of ransomware attacks are on small businesses. While attacks on large businesses may yield more bang for the buck, large companies also have substantially more robust security teams and defenses. Small businesses, though unable to pay the headline-grabbing ransoms, tend to be easy targets due to smaller budgets and less sophisticated capabilities. Of all avenues for ransomware attacks, the most common is email. In short, most ransomware attacks are invited in—by clicking on a link or an attachment—rather than sneaking in through “hacking” as most people imagine it, so it does not really matter how good your security is.
Let’s Dispel Some Myths
Do not think for a second that your small firm, serving whatever small town, with a clientele of individuals and small local businesses, is not a target. Understand that many ransomware attacks are automated—they do not always arise from some hacker in another country looking up your business on the internet out of millions of businesses and deciding to attack. Automated processes find businesses to attack. And you are also not safe because you are a small business without international clients—hackers realize that small businesses tend to have small security budgets, with little or no internal security personnel.
Finally, if a hacker does search for a target, you may be targeted because a person or entity with whom you have emailed has been compromised, and you became a target after being identified in a business email compromise of a client, opposing counsel, vendor, or any other email exchange you or someone in your office has had. Do not believe the myth that ransomware only targets pipelines, big M&A firms, and hospitals. You do not have to possess “important” information to be subject to ransomware. You only need to possess information that is important to you. If you cannot function without your data—financial, time entries, client data, calendar deadlines, etc.—then you are a target for ransomware, whether you are a law firm or a bakery. Attackers know your data is important to you and that you will pay to get it back.
How Do I Fight Ransomware with Email Hygiene?
First and foremost, use good email hygiene. Email hygiene involves safe practices in your emailing. Does the email look right? Was it unexpected or unusual, given who supposedly sent it? Is the wording unusual given what I know about that person? Should I double-check with the sender whether this attachment is theirs? While not everyone needs to be a security engineer, everyone should implement the following good habits regarding email:
Reach out to the sender. Never be afraid to pick up the phone, send a text, or use some other channel to confirm an email containing a link or an attachment. Also, if you have a helpdesk/IT, send it to them to confirm its legitimacy if you are concerned.
Slow down. Always take a moment before clicking on a link in an email or opening an attachment. Could this be an attack? Scanning the preview pane of an email while on auto-pilot, to see if it needs to be addressed immediately or can wait is one thing. Never click on a link or an attachment without thinking about it first.
In Outlook and some other email platforms, hover your cursor over the name of the sender to make the computer display the underlying email address associated with the sender. Just because your computer says the email came from opposing counsel in a case does not make it so. After all, a sender can set emails to state they are from “Clarence Darrow” when displayed on the recipient’s computer.
Use an email hygiene education and testing service. Many companies, on an annual basis, will provide online education modules that only require a few minutes to watch, and can send fake phishing and ransomware emails to your employees once or twice a year to test them.
Learn to recognize likely social engineering. Ransomware attackers try to formulate ways to make you WANT to click on a link: something free (e.g., our latest “white paper,” or “Wow, check out this Alabama Supreme Court opinion”), a sense of urgency (such as a wrinkle in that deal you’re trying to close ), a client angry about an invoice or a vendor angry about not being paid, a draft document to review, etc.
Keep operating systems and software up to date, and do not use any beyond their supported service life. Yes, renewing software licenses and support agreements is expensive, but it is cheaper and less disruptive than paying a ransom and suffering a business interruption.
Use offsite backups that are segmented from your network, and make sure they are validated. All too often, ransomware victims discover too late that their backups are affected by the ransomware or the backups have not been performed correctly and do not provide needed data. Proper backups can allow you to restore your system to the condition it was in before the email link was clicked or the attachment was opened.
Always implement two-factor authentication where available.
Scrutinize your cyber liability and cybercrime policies to confirm they will provide coverage in the event of a ransomware attack, particularly as to business interruption. The definition of an “occurrence” and the exceptions may not match up to how ransomware attacks occur and how ransomware is deployed.
Have a plan in the event of a ransomware attack. After your server is locked up is not the time to figure out how you are going to (1) get your systems and data back online, and (2) operate in the meantime.
Lock down your devices. If your device can be lost, the following can further limit the risk of compromise:
Use a passcode and a lock screen that activates after no longer than 5 minutes.
Have the ability to remote wipe the device.
Keep “Find my” activated.
Keep your recovery information (recovery email, recovery phone number, security questions, etc.) up to date.
Paul Zimmerman is a recovering litigator. He has a JD from the University of Alabama School of Law, an M.S. in Management Information Systems from UAB, and operates Invenius Digital Forensics, LLC. firstname.lastname@example.org