The International Legal Technology Association (ILTA) posed this question in their Public Forum April 1, 2020.
What new and/or evolving cyber security threats do
we see arising from the current global pandemic?
We are sharing the response below from Kraft Kennedy CTO, Chris Owens.
I feel the easiest way to sum up “new and/or evolving cyber security threats” in the current climate is with one word – identity. All physical boundaries are gone from the office world; the elevator security, door security, or even the simple idea that you know who is calling you because your internal phone system displays the name of your co-worker when it rings. Now everyone needs to be vigilant since you can no longer use basic physical factors to confirm identity, and this is something that affects the entire firm.
Help Desk is the first example. Kraft Kennedy serves as first-line support for roughly 50 small and midsized law firms. One of the items we stress as we onboard new personnel is to validate that the caller is actually who they claim to be. Typically we “call back” using a known good phone number or send some basic verification in email, although neither is necessarily 100% foolproof in an age of SIM hacking capabilities, as this serves as verification to ensure the password we are about to reset is being requested by the actual person. If anything feels off, you escalate properly to internal management or management at the firm. Asking an end-user to wait a few extra minutes to mitigate damage from a bad actor is a small price to pay.
Now that everyone is remote, internal Help Desk teams need to consider similar measures. Most support calls might not be coming from an internal number anymore, so ensure the Help Desk team does not fall into a malicious trap. We have already heard from people seeing an influx of these scenarios play out during the COVID crisis.
THE SAME GOES FOR LAWYERS, and that is the new(er) paradigm. They too will receive calls from numbers they do not know. Lawyers need to be vigilant about with whom they are sharing information or access. MFA works great until a lawyer builds the instinctive reaction to just “approve” any prompt, especially with newer technologies that don’t involve entering a code. These are how malicious events tend to start.
How do I add technology to aid in identifying who, specifically, might be under attack? There are several tools out there, including Microsoft Advanced Threat Protection. This tool specifically focuses on identity protection. In fact, Microsoft just published an article entitled “Top 12 tasks for security teams to support working from home” that focuses on the very topic of this thread.
The key element is Microsoft Secure Score. As more and more law firms are rapidly deploying productivity tools like Microsoft Teams, more and more user identities are being synchronized to the Microsoft Cloud through Azure Active Directory. Protecting these now globally accessible accounts should be the first task for the law firm IT team, and Microsoft has included numerous tools to accomplish those tasks. MFA is one. Geographic location filtering, by which you can block all traffic from certain countries, is another. Lastly, they have the comprehensive Conditional Access tool that allows extremely granular control of access to systems, applications, and the domain.
Identity was already going to be the new security battle, COVID just sped up the process. Protecting yourself and your firm during this isolation period involves both education and technology solutions.
And just for a little comic relief, this was the best meme I saw for the day and it happened to be topical!