Your single source for new lessons on legal technology, e-discovery, and the people innovating behind the scenes.

Cybersecurity 101: Protecting Law Firms from 'Bad Actor' Entry via Email Phishing

Drew Deitch

Headlines have made no secret that law firms are at particular risk of cyber attacks, and their vulnerability comes from both a lack of preparedness and the simple fact that their troves of sensitive client information make prime targets for baddies.

Simplified e-discovery is often a positive consequence of strong cybersecurity policies and diligent data protection, and plenty of tools and techniques help bolster those upstream processes. Paul Everton, founder and CEO of MailControl—a company whose Enterprise Privacy ShieldTM software helps law firms and others increase security against the rising threat of spymail—recently shared his thoughts on these techniques with us.

Drew: What do you consider the biggest email-related security risk to the modern law firm?

Paul: Phishing is the biggest email-related security risk to the modern law firm. Security firms have reported that 90+ percent of cyber attacks start with phishing. What makes phishing particularly threatening is that it cannot be stopped by a single line of defense. Email is by nature open; attackers will always find ways to make it past spam filters and phishing detectors with rapidly evolving messaging and targeting, so firms need to implement a multi-layered defense.

Prominent attacks on law firms in recent years have made headlines, but it's not only large law firms that are at risk; lawyers across the US are regularly targeted with phishing email campaigns.

All of this means that today’s worst email habit is indiscriminately clicking links. Most malicious email attachments are blocked by security systems, so attackers instead try sending recipients to an external site. Professionals need to be vigilant in knowing when to click on links and when not to. As a rule of thumb, I recommend never clicking on unexpected notification emails. For example, if a sender claims to be Chase Bank saying your account is compromised, instead of clicking on their link, just go directly to the bank website and log in as you normally would, bypassing the emailed links.

What are the most basic ways in which law firms can protect themselves—and their clients—from data breaches and email snafus?

Encourage attorneys to take advantage of available CLE courses that focus on cybersecurity. This enables them to both earn credits and learn the latest best practices on protecting themselves and their clients.

Here are three other simple things you can do today to reduce your risk:

1. Use a password manager for all web logins. Phishing sites that pretend to be their real counterparts try to fool you with similar-looking site designs or URLs. So one way to beat them is to not rely on your own visual inspection, but on password managers that programmatically check if a site is really what it says it is. For instance, if you store your login to Chase Bank on LastPass, a popular free password manager, LastPass will let you automatically fill in your username and password when you are on a domain. If you accidentally clicked on a fake link that looks like but really isn’t, LastPass will not auto-fill the password.

2. Require email recipients use two-factor authentication to open extra-sensitive emails. Many businesses already require two-factor authentication to protect access to employees’ emails or other accounts. You can also enhance email security for sensitive files and data sharing (e.g., social security numbers or financials) this way, requiring recipients to use two-factor authentication on specific emails they receive. If their email is ever hacked, the attacker will be stopped from accessing sensitive files you sent, as they would need the recipient’s phone to authenticate before seeing the content.

3. Stop spymail from stealing employee email metadata. You may have heard one should turn attachments into PDFs or use Office’s “inspect document” feature before sending files over email. This removes hidden metadata in documents that can be damaging if inadvertently leaked. Emails can leak sensitive metadata just like their attachments. Spymail are emails containing hidden tracking code that secretly collects the recipient’s metadata, including physical location, email open stats, and even if and to where the email is forwarded.

MailControl focuses especially on defending against spymail threats to an enterprise. Why is this diligence so important?

Spymail poses privacy risks to firms, their clients, and their attorneys. For example, there was a case in California a few years ago, Pashman v. Aetna Insurance, where the court opinion explicitly describes how Aetna sent Pashman’s termination notice as a spymail which allowed them to see that Pashman forwarded the email to his attorney and who his attorney was. Putting aside the breach of confidentiality and waiver of privilege that this may represent, consider that the same information will enable a hacker to more easily spoof an email, either to mask infected attachments or use social engineering to coax out confidential information.

For users in organizations not using a centralized anti-spymail tool (most are not), users can reduce the risk of being spied on by disabling automatic loading of external content in email clients that offer such a setting (e.g., the desktop version of Outlook).

The legal space is generally seen as “behind the times” when it comes to new tech adoption. Do you agree with that estimation? Do you see that trend changing?

We need to be careful not to overgeneralize. Firms can be behind the times in one area (say, the lingering popularity of Exchange 2010) while also being very cutting edge in other areas (such as e-discovery). From talking to law firms myself, I've learned that it ultimately comes down to profitability and ROI: law firms are closely held, and IT budget does not come from anonymous shareholder money—it’s “our” money. With market consolidation in legal, I think the trend is that there will be even stronger demands for business justification for every IT purchase.

Which roles in a law firm environment tend to play the biggest part in bringing new technology on board, based on your experience? Which roles tend to be most passionate about adopting new tools?

I've seen "rain makers" who also happen to be technology enthusiasts tend to have a lot of influence in bringing on new technology. Such partners tend to gravitate to the technology committee; in bigger firms with larger IT departments, the IT departments will have more say.

Both of our companies are born out of the Chicago tech scene. Tell us what impresses you most about this community.

I think Chicago tech companies tend to be scrappier and more resource efficient. Out on the coasts, the amount of capital tends to drive up valuations and spend. That can be good for some winner-take-all verticals where you truly need to outspend your competitors to have a chance. In Chicago, though, entrepreneurs and investors tend to maintain more fiscal discipline and build more with less.

Paul Everton founded MailControl in fall of 2015. He previously founded and sold Visible Vote, and also founded Yapmo which continues to operate profitably today. Paul started his career in sales and sales engineering. Paul has a B.S. in Computer Science/Information Security from Georgia Institute of Technology.

Drew Deitch is commercial lead of Relativity Patents, where he helps patent attorneys and searchers work faster with AI. He's been at Relativity for 10 years, in roles supporting our strategic partnerships, executive team, and product strategy.