NYSBA Provides Ransomeware Guidance For Lawyers
The pandemic has impacted so many different aspects of our lives, from where and how we work to how we communicate and interact with loved ones. The work-from-home requirements necessitated by COVID-19 have been one of the most noticeable effects of the pandemic. This increase in working from home has also led to another notable trend: an escalation in the number of cyberattacks occurring due to the vulnerabilities exposed by the rapid and unexpected transition to remote work by so many businesses - including law firms - across the country.
This development was likely the impetus for the recent release of a cybersecurity alert by the New York State Bar Association’s Technology and Legal Profession Committee relating to ransomeware. This very timely resource provides a wealth of advice and guidance for lawyers seeking to protect their firms’ data from attacks by nefarious actors.
In the report, the authors first tackle the concept of ransomware. They provide the following explanation along with examples to help readers understand what ransomware is and how bad actors use it to attempt to obtain information from law firms:
Ransomware is a form of malicious software (malware) that targets critical data and systems for the purpose of extortion.
Ransomware often encrypts data or programs to extort ransom payments from victims in exchange for decrypting the information and restoring victims’ access to their systems or data. In many instances, the attacker threatens to publish sensitive information that has been seized, further hurting the victim, or impacting the business’ reputation.
As explained in the alert, the ransom demand typically consists of a demand for cryptocurrency in exchange for the data being held hostage. However, of note is that the Committee cautions that the provision of a payment does not necessarily guarantee that the data will necessarily be returned.
Because there is no way to ensure with certainty that your law firm will be able to obtain the return of its data from the bad actors, it is imperative that steps be taken to protect the data that remains on the firm’s systems. To that end, the Committee provides a step-by-step roadmap that includes recommendations to: 1) immediately isolate affected systems and avoid deleting any data, 2) isolate and/or power off uncorrupted devices, 3) after ensuring that existing data backups are free of malware, secure them and take them offline, 4) report the attack to https://www.ic3.gov/ and contact the local field offices of the FBI and U.S. Secret Service, 5) collect and secure any portions of existing ransomed data, 6) after taking the system offline, change online account and network passwords, 7) change systems passwords once malware has been removed, 8) disable maintenance tasks, and 9) implement incident response and business continuity plans.
The Committee also provides useful best practices guidance for law firms seeking to proactively protect their firms from future ransomeware attacks. The best practice tips are to: 1) implement an awareness and training program, 2) use Multi-Factor Authentication, 3) use long, complex passwords and do not reuse passwords for multiple accounts, 4) change default passwords, 5) enforce account lockouts after a specified number of login attempts, 6) configure access controls—including file, directory, and network share permissions—to limit access to only those who must have it, 7) restrict user permissions to install and run software applications, 8) enable strong spam filters to prevent phishing emails from reaching the end users. 9) set anti-virus and anti-malware programs to conduct regular scans automatically, 10) regularly patch systems, software, and firmware, 11) configure firewalls to block access to known malicious IP addresses, and 12) implement a Clean Desk Policy.
Note that the above constitutes highlights from this cybersecurity alert. For that reason, it’s important to read the alert in its entirety for a complete overview of the risks of ransomware, the precautionary steps you can take to protect your firm from being affected by it, and how to respond to an attack without making the situation any worse than it already is.
In closing, I urge you to give this document a thorough read and then implement the recommendations contained therein. Trust me, you won’t regret it. You’ve got nothing to lose by educating yourself about ransomware risks - and everything to gain!
Nicole Black is a Rochester, New York attorney, author, journalist, and the Legal Technology Evangelist at MyCase law practice management software for small law firms. She is the author of the ABA book Cloud Computing for Lawyers, co-authors the ABA book Social Media for Lawyers: the Next Frontier, and co-authors Criminal Law in New York, a Thomson Reuters treatise. She writes legal technology columns for Above the Law and ABA Journal and speaks regularly at conferences regarding the intersection of law and technology. You can follow her on Twitter at @nikiblack or email her at email@example.com.