The VBA Journal is the official publication of The Virginia Bar Association.
Issue link: http://vba.epubxp.com/i/815343
30 • VBA JOURNAL to be alert to anything suspicious and not to be quick to click! RANSOMWARE Ransomware is an international epidemic. Your em- ployees need to understand that it is usually contracted via phishing emails. Click on a link in the email or an attachment and the malware is downloaded invisibly, irrespective of what you see on the screen. Then it sets about encrypting the firm's data, file by file. If the backup is connected to the network at the time, it will encrypt that, too. Employees need to understand how dangerous ran- somware can be, how prevalent it is, how the ransom to get your data back is more and more expensive — and that you are out of business until you figure out how to get sufficient funds in bitcoins, which the hackers gen- erally want as payment. Assuming you do, in fact, get a decryption key, there's also a delay to restore the files. Ransomware is now appearing on mobile devices, including phones — most from downloading apps from unsanctioned app stores, which is a common practice among employees. BUSINESS EMAIL COMPROMISES Also known as CEO scams, these schemes have netted more than $3 billion thus far, according to the FBI. From January 2015 to June 2016, successful attacks rose 1,500 percent. Basically, someone who has authority to order money wired appears to be emailing someone who does the wiring. Law firms have been hit hard by these scams, so it is critical that employees understand how they work and that they be conditioned to seek affirmation of any order to transfer significant monies. TRAINING TIPS To the extent that you can, make training fun. Encourage interactivity. Trainers should use real-life scenarios. ey should tell stories. ey should quiz attendees as to whether an email shows any evidence of phishing — the No. 1 way law firms are breached. ey may have attendees watch short security videos from YouTube, such as those by Sophos. Time of day? Best done in the morning, when folks e authors are the president and vice president of Sensei Enterprises, Inc., a le- gal technology, information security, and digital forensics firm based in Fairfax. ey can be reached at 703-359-0700 or sensei@senseient.com. are most alert. Spring for breakfast and keep the coffee coming. Make it mandatory? Absolutely. Take attendance. Encourage the firm's managing partner to send out a memo stating that the training is mandatory, that he will be there, and that he expects to see everyone from the firm there as well. How often should you train? At least annually. reats change and defenses to threat change. Both technology and security policies change. You should assess these changes and your security policies regularly to stay ahead of the curve. You can never "set it and forget it" in cybersecurity. One story that may give you pause: Weeks after falling victim to a data breach in 2015, JPMorgan sent a fake phishing email to staff. Twenty percent of its employees clicked on the link. JPMorgan got the point. Having spent $250 million on cybersecurity in 2014, it vowed to double its cybersecurity budget to $500 million over the next two years. PHYSICAL SECURITY Trainers should talk about physical security too — not leaving files in stacks around the office, being aware of strangers in the office, etc. e infamous "office creeper" in the D.C. area during 2015 got into all sorts of "secure" buildings, once entering a law firm. She got through building security by piggybacking and tailgating. She took money from drawers and purses, and lifted laptops and cameras, which were easy to pawn. But what if she had been after data? MORE IN THE MORASS Employees need to be aware of the dangers of metadata, the perils of using social media, and the malware that may be present on public computers in hotel business centers, public libraries, and internet cafes. ey need guidance on the safe use of public Wi-Fi, the safe use of file syncing software in the cloud. ey should be taught the importance of protecting all devices — including Apple devices — and their home Wi-Fi if they work from home without a virtual private network. But more than learning the importance of security, employees must know how to secure their smartphone, especially if they may connect personal devices to the firm network. ■