Now here\u2019s a good one. With all the publicity about lawyers not checking cites, it\u2019s good to be reminded that we aren\u2019t the only dumbasses in the world.<\/p>\n
According to a report<\/a> in HackerNews, KNP Logistics Group<\/a>, which had been in business some 158 years, recently shut its doors. \u00a0Why? One of its employees had an easily guessed password. There was no sophisticated phishing attack or zero-day exploitation. The hacker just got into the company\u2019s system and found an employee who didn\u2019t use multifactor authentication. Then, using highly sophisticated logic and complicated algorithms (aka someone who doesn\u2019t have multifactor authentication probably has an easy-to-guess password), they punched in 1-2-3-4 or something similar and voila, in like Flynn.<\/p>\n Once in, the hackers had a field day. They deployed ransomware across the whole infrastructure. Then, perhaps just to get a good laugh at the employee and the company, they destroyed the company\u2019s backup and recovery systems. So, there was no way for the company to recover anything.<\/p>\n One Slight Miscalculation<\/strong><\/p>\n But the hackers did make a slight miscalculation: they demanded more ransom money than the company had. And KNP\u2019s cyber insurance didn\u2019t cover enough of the demand to keep KNP going. The company operated a transport business with 500 trucks and 700 employees and just like that, it was gone.<\/p>\n I used to see companies plead the \u201cpoverty defense\u201d in litigation all the time \u2014 meaning don\u2019t bother pursuing me, I can\u2019t pay any judgment anyway. Usually, they didn\u2019t want to offer proof of their financial condition either because their condition was not that bad or they didn\u2019t want to open up their books to the other side. But when they did, it was effective. Guess KNP couldn\u2019t convince the bad guys, though.<\/p>\n Lessons for Lawyers<\/strong><\/p>\n Of course, there\u2019s lots of lessons for law firms here. Law firms all too often think that security by obscurity is great protection, just like pleading poverty will get you off the hook in a lawsuit.<\/p>\n But law firms forget how valuable their data is. First there\u2019s the ethical requirement that we take reasonable steps to protect our clients\u2019 confidences. That means, of course, if we are hacked, we a) must tell our clients, which is not a pleasant conversation and b) we may have violated the canons of ethics. So even if our data has little intrinsic value to someone else, it clearly has a lot of value to us.<\/p>\n And we can\u2019t sell the notion that our data is valuable to others short: we have lots of secrets locked up in our files that could be exploited for monetary gain.<\/p>\n So, you (like a good lawyer) say, well, we have cyber insurance, so not to worry. Not so fast. You had better read the policy. And the sublimits. (If you don\u2019t know what that is, you\u2019re already in trouble.) And you better read what security you committed to have in place before the carrier issued the policy \u2014 like maybe multifactor authentication, for a start. You might also want to check what security your corporate clients demanded you have in place before they hired you.<\/p>\n Oh well, it can\u2019t be that bad, right? I mean, we aren\u2019t like KNP; we\u2019ll just go back to work, and it will be business as usual. Yeah, right, try billing hours when all your files are locked up and your systems have cratered. That is, if you still have clients to bill to.<\/p>\n The Sad Truth: Excuses Galore<\/strong><\/p>\n The sad truth is that law firms and lawyers just aren\u2019t as security conscious as they need to be. It\u2019s classic hear no evil, speak no evil, see no evil. \u00a0<\/p>\n Far too often, they view security protocols as a pain in the butt that interferes with their getting to their work (and billing time). I\u2019ve seen partners and associates circumvent security protocols because they didn\u2019t want to take the time to comply with them: \u201cI\u2019ve got work to do I can\u2019t be burdened with multifactor authentication.\u201d<\/p>\n Here\u2019s another one: \u201cI don\u2019t have time to change my password every so often. I got too much important shit to do to remember a bunch of passwords. I need to get to my work quickly without having to plug in a complicated password.\u201d<\/p>\n And always hubris: do lawyers really want to listen to those \u201cnon-lawyers\u201d who work for them, like IT people? And of course, there is the notion that it can\u2019t happen to me. Lawyers often just don\u2019t want to invest in improved security or don\u2019t listen when IT talks about it. I mean, it\u2019s boring, right?<\/p>\n And finally, there is always the training conundrum. It takes time away from billable hours to be trained on risks and how to avoid them.<\/p>\n I mean, after all, we got insurance, right?<\/p>\n Stephen Embry is a lawyer, speaker, blogger, and writer. He publishes\u00a0TechLaw Crossroads<\/a>, a blog devoted to the examination of the tension between technology, the law, and the practice of law<\/strong><\/em>.<\/p>\n The post Cyber, Slider. We Got Insurance, Right?\u00a0<\/a> appeared first on Above the Law<\/a>.<\/p>\n Now here\u2019s a good one. With all the publicity about lawyers not checking cites, it\u2019s good to be reminded that we aren\u2019t the only dumbasses in the world.<\/p>\n According to a report<\/a> in HackerNews, KNP Logistics Group<\/a>, which had been in business some 158 years, recently shut its doors. \u00a0Why? One of its employees had an easily guessed password. There was no sophisticated phishing attack or zero-day exploitation. The hacker just got into the company\u2019s system and found an employee who didn\u2019t use multifactor authentication. Then, using highly sophisticated logic and complicated algorithms (aka someone who doesn\u2019t have multifactor authentication probably has an easy-to-guess password), they punched in 1-2-3-4 or something similar and voila, in like Flynn.<\/p>\n Once in, the hackers had a field day. They deployed ransomware across the whole infrastructure. Then, perhaps just to get a good laugh at the employee and the company, they destroyed the company\u2019s backup and recovery systems. So, there was no way for the company to recover anything.<\/p>\n One Slight Miscalculation<\/strong><\/p>\n But the hackers did make a slight miscalculation: they demanded more ransom money than the company had. And KNP\u2019s cyber insurance didn\u2019t cover enough of the demand to keep KNP going. The company operated a transport business with 500 trucks and 700 employees and just like that, it was gone.<\/p>\n I used to see companies plead the \u201cpoverty defense\u201d in litigation all the time \u2014 meaning don\u2019t bother pursuing me, I can\u2019t pay any judgment anyway. Usually, they didn\u2019t want to offer proof of their financial condition either because their condition was not that bad or they didn\u2019t want to open up their books to the other side. But when they did, it was effective. Guess KNP couldn\u2019t convince the bad guys, though.<\/p>\n Lessons for Lawyers<\/strong><\/p>\n Of course, there\u2019s lots of lessons for law firms here. Law firms all too often think that security by obscurity is great protection, just like pleading poverty will get you off the hook in a lawsuit.<\/p>\n But law firms forget how valuable their data is. First there\u2019s the ethical requirement that we take reasonable steps to protect our clients\u2019 confidences. That means, of course, if we are hacked, we a) must tell our clients, which is not a pleasant conversation and b) we may have violated the canons of ethics. So even if our data has little intrinsic value to someone else, it clearly has a lot of value to us.<\/p>\n And we can\u2019t sell the notion that our data is valuable to others short: we have lots of secrets locked up in our files that could be exploited for monetary gain.<\/p>\n So, you (like a good lawyer) say, well, we have cyber insurance, so not to worry. Not so fast. You had better read the policy. And the sublimits. (If you don\u2019t know what that is, you\u2019re already in trouble.) And you better read what security you committed to have in place before the carrier issued the policy \u2014 like maybe multifactor authentication, for a start. You might also want to check what security your corporate clients demanded you have in place before they hired you.<\/p>\n Oh well, it can\u2019t be that bad, right? I mean, we aren\u2019t like KNP; we\u2019ll just go back to work, and it will be business as usual. Yeah, right, try billing hours when all your files are locked up and your systems have cratered. That is, if you still have clients to bill to.<\/p>\n The Sad Truth: Excuses Galore<\/strong><\/p>\n The sad truth is that law firms and lawyers just aren\u2019t as security conscious as they need to be. It\u2019s classic hear no evil, speak no evil, see no evil. \u00a0<\/p>\n Far too often, they view security protocols as a pain in the butt that interferes with their getting to their work (and billing time). I\u2019ve seen partners and associates circumvent security protocols because they didn\u2019t want to take the time to comply with them: \u201cI\u2019ve got work to do I can\u2019t be burdened with multifactor authentication.\u201d<\/p>\n Here\u2019s another one: \u201cI don\u2019t have time to change my password every so often. I got too much important shit to do to remember a bunch of passwords. I need to get to my work quickly without having to plug in a complicated password.\u201d<\/p>\n And always hubris: do lawyers really want to listen to those \u201cnon-lawyers\u201d who work for them, like IT people? And of course, there is the notion that it can\u2019t happen to me. Lawyers often just don\u2019t want to invest in improved security or don\u2019t listen when IT talks about it. I mean, it\u2019s boring, right?<\/p>\n And finally, there is always the training conundrum. It takes time away from billable hours to be trained on risks and how to avoid them.<\/p>\n I mean, after all, we got insurance, right?<\/p>\n Stephen Embry is a lawyer, speaker, blogger, and writer. He publishes\u00a0TechLaw Crossroads<\/a>, a blog devoted to the examination of the tension between technology, the law, and the practice of law<\/strong><\/em>.<\/p>\n The post Cyber, Slider. We Got Insurance, Right?\u00a0<\/a> appeared first on Above the Law<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" Now here\u2019s a good one. With all the publicity about lawyers not checking cites, it\u2019s good to be reminded that we aren\u2019t the only dumbasses in the world. According to a report in HackerNews, KNP Logistics Group, which had been in business some 158 years, recently shut its doors. \u00a0Why? One of its employees had […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[16],"tags":[],"class_list":["post-134643","post","type-post","status-publish","format-standard","hentry","category-above_the_law"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/posts\/134643","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/comments?post=134643"}],"version-history":[{"count":0,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/posts\/134643\/revisions"}],"wp:attachment":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/media?parent=134643"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/categories?post=134643"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/tags?post=134643"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n
\n