Now here’s a good one. With all the publicity about lawyers not checking cites, it’s good to be reminded that we aren’t the only dumbasses in the world.
According to a report in HackerNews, KNP Logistics Group, which had been in business some 158 years, recently shut its doors. Why? One of its employees had an easily guessed password. There was no sophisticated phishing attack or zero-day exploitation. The hacker just got into the company’s system and found an employee who didn’t use multifactor authentication. Then, using highly sophisticated logic and complicated algorithms (aka someone who doesn’t have multifactor authentication probably has an easy-to-guess password), they punched in 1-2-3-4 or something similar and voila, in like Flynn.
Once in, the hackers had a field day. They deployed ransomware across the whole infrastructure. Then, perhaps just to get a good laugh at the employee and the company, they destroyed the company’s backup and recovery systems. So, there was no way for the company to recover anything.
One Slight Miscalculation
But the hackers did make a slight miscalculation: they demanded more ransom money than the company had. And KNP’s cyber insurance didn’t cover enough of the demand to keep KNP going. The company operated a transport business with 500 trucks and 700 employees and just like that, it was gone.
I used to see companies plead the “poverty defense” in litigation all the time — meaning don’t bother pursuing me, I can’t pay any judgment anyway. Usually, they didn’t want to offer proof of their financial condition either because their condition was not that bad or they didn’t want to open up their books to the other side. But when they did, it was effective. Guess KNP couldn’t convince the bad guys, though.
Lessons for Lawyers
Of course, there’s lots of lessons for law firms here. Law firms all too often think that security by obscurity is great protection, just like pleading poverty will get you off the hook in a lawsuit.
But law firms forget how valuable their data is. First there’s the ethical requirement that we take reasonable steps to protect our clients’ confidences. That means, of course, if we are hacked, we a) must tell our clients, which is not a pleasant conversation and b) we may have violated the canons of ethics. So even if our data has little intrinsic value to someone else, it clearly has a lot of value to us.
And we can’t sell the notion that our data is valuable to others short: we have lots of secrets locked up in our files that could be exploited for monetary gain.
So, you (like a good lawyer) say, well, we have cyber insurance, so not to worry. Not so fast. You had better read the policy. And the sublimits. (If you don’t know what that is, you’re already in trouble.) And you better read what security you committed to have in place before the carrier issued the policy — like maybe multifactor authentication, for a start. You might also want to check what security your corporate clients demanded you have in place before they hired you.
Oh well, it can’t be that bad, right? I mean, we aren’t like KNP; we’ll just go back to work, and it will be business as usual. Yeah, right, try billing hours when all your files are locked up and your systems have cratered. That is, if you still have clients to bill to.
The Sad Truth: Excuses Galore
The sad truth is that law firms and lawyers just aren’t as security conscious as they need to be. It’s classic hear no evil, speak no evil, see no evil.
Far too often, they view security protocols as a pain in the butt that interferes with their getting to their work (and billing time). I’ve seen partners and associates circumvent security protocols because they didn’t want to take the time to comply with them: “I’ve got work to do I can’t be burdened with multifactor authentication.”
Here’s another one: “I don’t have time to change my password every so often. I got too much important shit to do to remember a bunch of passwords. I need to get to my work quickly without having to plug in a complicated password.”
And always hubris: do lawyers really want to listen to those “non-lawyers” who work for them, like IT people? And of course, there is the notion that it can’t happen to me. Lawyers often just don’t want to invest in improved security or don’t listen when IT talks about it. I mean, it’s boring, right?
And finally, there is always the training conundrum. It takes time away from billable hours to be trained on risks and how to avoid them.
I mean, after all, we got insurance, right?
Stephen Embry is a lawyer, speaker, blogger, and writer. He publishes TechLaw Crossroads, a blog devoted to the examination of the tension between technology, the law, and the practice of law.
The post Cyber, Slider. We Got Insurance, Right? appeared first on Above the Law.
Now here’s a good one. With all the publicity about lawyers not checking cites, it’s good to be reminded that we aren’t the only dumbasses in the world.
According to a report in HackerNews, KNP Logistics Group, which had been in business some 158 years, recently shut its doors. Why? One of its employees had an easily guessed password. There was no sophisticated phishing attack or zero-day exploitation. The hacker just got into the company’s system and found an employee who didn’t use multifactor authentication. Then, using highly sophisticated logic and complicated algorithms (aka someone who doesn’t have multifactor authentication probably has an easy-to-guess password), they punched in 1-2-3-4 or something similar and voila, in like Flynn.
Once in, the hackers had a field day. They deployed ransomware across the whole infrastructure. Then, perhaps just to get a good laugh at the employee and the company, they destroyed the company’s backup and recovery systems. So, there was no way for the company to recover anything.
One Slight Miscalculation
But the hackers did make a slight miscalculation: they demanded more ransom money than the company had. And KNP’s cyber insurance didn’t cover enough of the demand to keep KNP going. The company operated a transport business with 500 trucks and 700 employees and just like that, it was gone.
I used to see companies plead the “poverty defense” in litigation all the time — meaning don’t bother pursuing me, I can’t pay any judgment anyway. Usually, they didn’t want to offer proof of their financial condition either because their condition was not that bad or they didn’t want to open up their books to the other side. But when they did, it was effective. Guess KNP couldn’t convince the bad guys, though.
Lessons for Lawyers
Of course, there’s lots of lessons for law firms here. Law firms all too often think that security by obscurity is great protection, just like pleading poverty will get you off the hook in a lawsuit.
But law firms forget how valuable their data is. First there’s the ethical requirement that we take reasonable steps to protect our clients’ confidences. That means, of course, if we are hacked, we a) must tell our clients, which is not a pleasant conversation and b) we may have violated the canons of ethics. So even if our data has little intrinsic value to someone else, it clearly has a lot of value to us.
And we can’t sell the notion that our data is valuable to others short: we have lots of secrets locked up in our files that could be exploited for monetary gain.
So, you (like a good lawyer) say, well, we have cyber insurance, so not to worry. Not so fast. You had better read the policy. And the sublimits. (If you don’t know what that is, you’re already in trouble.) And you better read what security you committed to have in place before the carrier issued the policy — like maybe multifactor authentication, for a start. You might also want to check what security your corporate clients demanded you have in place before they hired you.
Oh well, it can’t be that bad, right? I mean, we aren’t like KNP; we’ll just go back to work, and it will be business as usual. Yeah, right, try billing hours when all your files are locked up and your systems have cratered. That is, if you still have clients to bill to.
The Sad Truth: Excuses Galore
The sad truth is that law firms and lawyers just aren’t as security conscious as they need to be. It’s classic hear no evil, speak no evil, see no evil.
Far too often, they view security protocols as a pain in the butt that interferes with their getting to their work (and billing time). I’ve seen partners and associates circumvent security protocols because they didn’t want to take the time to comply with them: “I’ve got work to do I can’t be burdened with multifactor authentication.”
Here’s another one: “I don’t have time to change my password every so often. I got too much important shit to do to remember a bunch of passwords. I need to get to my work quickly without having to plug in a complicated password.”
And always hubris: do lawyers really want to listen to those “non-lawyers” who work for them, like IT people? And of course, there is the notion that it can’t happen to me. Lawyers often just don’t want to invest in improved security or don’t listen when IT talks about it. I mean, it’s boring, right?
And finally, there is always the training conundrum. It takes time away from billable hours to be trained on risks and how to avoid them.
I mean, after all, we got insurance, right?
Stephen Embry is a lawyer, speaker, blogger, and writer. He publishes TechLaw Crossroads, a blog devoted to the examination of the tension between technology, the law, and the practice of law.
The post Cyber, Slider. We Got Insurance, Right? appeared first on Above the Law.
