My Four Favorite Charts from the ILTA 2022 Technology Survey

The International Legal Technology Association’s 2022 survey is a broad treasure trove of data reported from 541 law firms.

There are 11 major topics including Infrastructure, Document Management, Practice Management, and Business Continuity.

My focus is on four of the twenty-seven questions surveyed in the Security section.

  1. Password Management
ILTA 2022 Technology Survey

Password managers are one of the most highly recommended solutions for security. They help with: using complex passwords, deterring repeat usage of passwords, and providing secure storage for passwords. There is a learning curve to using a password manager, but once I got up to speed, I wondered how I would live without it. We have so many passwords to juggle these days. I am surprised that 50% of respondents are not providing a password manager.

2. Multi-factor Authentication

ILTA 2022 Technology Survey

Perhaps the single most recommended security mitigation is multi-factor authentication (MFA). Here we see Duo Security (a Cisco company) is the leader at 45%. There are three Microsoft solutions listed which total 27%.

In legal tech, it’s notable when a third-party solution is more widely adopted than a Microsoft solution as most law firms operate on the Microsoft stack.

3. What do You Secure with MFA?

ILTA 2022 Technology Survey

The largest response is VPN/Remote Access. Then Office 365. It’s very good to see high adoption of MFA for these widely used applications.

4. Which Phishing, Vishing, Social Engineering, or Security Awareness Program?

ILTA 2022 Technology Survey

KnowBe4 is the stand-out at 62%. Others used are Mimecast, Traveling Coaches, Proofpoint, managed service providers, and solutions developed in-house. Only 7% reported “None.” As phishing and social engineering are the cause of about 90% of exploits, law firms are wise to have these programs in place.

You may access the full data-rich report or the executive report from ILTA. Here is the download page.

-Maureen

Your Network Has Been Locked: What I Learned at ILTACON 2022

It was wonderful to meet with you all! Last week was the first fully in-person annual educational conference of the International Legal Technology Association (ILTA) since 2019. ILTACON is truly an event of peer-to-peer sharing. Many of the members have relationships dating back decades. Having an in-person event again was fantastic.

Security was one of the most in-demand topics. There were sessions on phishing, ransomware, breaches, and solutions. Here are three takeaways from sessions which I attended on what to do when a breach occurs. Note: I am not a cybersecurity expert. These are commonsense points which anyone can learn from.

Darkside Ransomware Email – Source: Acronis
  1. First Call

At 10 PM on Saturday night, Asher in Support gets a call from an attorney who says, “I’m looking at a screen which says, ‘Your network has been locked!'” Asher was educated to escalate any such messages immediately. Let’s assume that this message gets to the CIO within minutes.

Who does the CIO call first?

  • Is it a contracted or pre-vetted cybersecurity services provider?
  • Is it the cybersecurity insurance carrier?

In a session which included both a panelist from a top cybersecurity services provider and a panelist from a major cybersecurity insurance carrier, each argued that they should be the first call. Each may have distinct objectives.

The cybersecurity insurance carrier will immediately send in their SWAT team. This expertise may be quite welcome at the law firm. A good carrier will bring great expertise to bear. At the same time, law firms report that when the insurance carrier team arrives, they lose control of the process. The firm IT team may be sidelined, by contract. The insurance company may have as its top priority forensics. One of their objectives is to discover if the law firm were out of compliance with the policy.

The cybersecurity services company will also send in their SWAT team and bring great expertise and experience to bear. If the firm has vetted the services company their objectives should be aligned with the law firm’s.

Objectives include stopping exfiltration of firm data and business continuity. Law firms will want to safely get back to business-as-usual as quickly as possible.

2. Breach Counsel

One of the first things that the cybersecurity insurance carrier will do is to get their breach counsel engaged in the process so that communications are privileged. Law firms are uniquely positioned to get their own attorneys involved. Whether it is the insurance carrier’s attorney or a firm attorney, involve an attorney on all communications immediately. There will be public communications following the breach and perhaps legal action. Need I say more?

3. CIO Fiat to Shut Down Systems

When there is a breach, time is of the essence. Data may still be exfiltrating. While no law firm wants to do so, the best action may be to shut down all systems immediately. The moment when the firm’s data is flowing out to the hackers is not a good time to educate and negotiate with the firm’s executive team regarding shutting down systems. The CIO should have clear authority in advance to shut down systems.

Bonus: Have a Plan

Your firm is a target. Services, like Dark Utilities, make it easy for hackers to to set up a command center (C2) for malicious operations. Prices for C2-as-a-Service start at EUR 9.99. Easy, inexpensive tools mean that firms of any size are a target for “drive-by” attacks.

Even while your full incident recovery program is in development, it’s time well-spent to have a plan for the three points above in order to respond quickly.

One of the benefits of ILTACON is that we learn what has worked for other law firms in real world settings. Each firm should assess their own response plan.

See you in Orlando at #ILTACON23!

-Maureen

F5 Labs on Phishing in 2020

Last week in my post on Okta’s 2021 Businesses at Work report, I mentioned the F5 Labs 2020 Phishing and Fraud Report. It is cited in the Businesses at Work report for its warning on Office 365. In brief, that warning is that Office 365 is a rich target because if an attacker breaches Office 365, they have access to email and much more, including potentially to SharePoint and OneDrive. F5 Labs warns to use Multi-Factor Authentication (MFA) with Office 365.

The F5 Labs Phishing and Fraud report is full of useful information. It’s a tutorial on phishing, a source of exploit data, and a guide as to how to protect from phishing.

In this post, I share 3 of the many images in the report to tempt you to looking at the full report.

Phishing Incidents Dealt with by F5’s Security Operations Center – F5 Labs

We’ve known for years that phishing is the number one cause of data breaches. F5 Labs estimated, as shown above, that the number of phishing incidents in 2020 was projected to increase by 15% compared with 2019.

Sample Phishing Subject Lines – F5 Labs

As anyone who has an email inbox knows, phishing perpetrators are nothing if not topical. In addition, they prey on fear. These cyber-criminals were quick to capitalize on COVID-19. Starting in March 0f 2020, fear and false information about COVID-19 became a hot subject for phishing, as this list conveys.

Steps in a Phishing Attack – F5 Labs

The report explains financial fraud, deception techniques such as custom URLs, and the trajectory of phishing in the report. It concludes with pragmatic sections on “Protecting the Business” and “Protecting Users.”

F5 Labs also explains financial fraud, deception techniques such as custom URLs, and the trajectory of phishing in the report. Phishing is a challenging problem. It is social engineering. The attackers’ schemes mutate. We humans are the weak link. F5 Labs has useful research here, free tor the reading.

-Maureen

Okta’s 2021 Businesses at Work Report

Each year I look forward to Okta’s Businesses at Work report. Okta anonymizes data from its more than 9,400 customer entities. These are customers which use the Okta Identity Network (OIN) with its over 6,500 integrations with cloud, mobile, and web apps, and with IT infrastructure providers. The report is free, not even a registration is needed. To my knowledge no other public report provides this level of data on cloud application usage.

For data lovers it’s a treasure trove of facts about cloud usage. There are over 28 charts and tables. Download it here. I’ll share a few of my favorite insights from the report.

Most Popular Apps by Number of Customers

Microsoft 365 wins. I attended a legal technology conference in 2014. In a session on SharePoint, hosted by Microsoft, the roadmap showed that Outlook, Exchange, and, yes, SharePoint were all moving to the cloud in the form of Office 365. People exited the room in fury. At that time, most law firms were adamant – No Cloud. While there will always be law firms, especially “Big Law,” which will keep Outlook, SharePoint, and the Office Suite on-premises, the adoption of Office 365 or Microsoft 365 in the legal sector has been swift over the past two years. The Okta data reflects this.

This chart shows that the gap in usage between Microsoft 365 and all other applications, including AWS and Salesforce, has only widened in the past 5 years.

Most Popular Video Conferencing Apps

This graph highlights the steep curve in Zoom usage which we all lived through in 2020. At Mobile Helix, we started using Zoom heavily in 2017. We even perform our LINK system deployments remotely over Zoom in about two hours. When the pandemic hit, we were easily able to deploy LINK with IT staff who were themselves working from home. Customers favor our over-Zoom deployment over an on-site visit as it ends up taking less of their time.

Customers Authenticating With Each Factor

Phishing has been up 220% during the pandemic per F5’s 2020 Phishing and Fraud Report (an excellent report on phishing). The Okta report quotes, “F5 warns that the login page of our most popular app, Microsoft 365 (M365), is one of the most popular targets for generic phishing because attackers know that stealing Office 365 credentials can grant them access not only to email but also corporate documents, finance, HR, and many other critical business functions.”

Strong Multi-Factor Authentication (MFA) should be used with M365. The chart above shows that of Okta customers authenticating with a factor in addition to, or instead of a password, 82% use Okta Verify. The good news here is that weaker factors such as SMS and security questions are on the decline.

One of the positive conclusions from Okta’s 2021 Businesses at Work report has to be that as difficult as 2020 was, with 38M people applying for unemployment, if it had happened even 10 years earlier, how many people would have been unable to work from home? The growth of web-based applications, cloud-based services, and mobile apps resulted in most office jobs successfully transitioning to work-from-home in two or three weeks.

2020 was The Year of the Cloud.

-Maureen

Phishing Never Takes a Holiday

No. I’m not referring to the now infamous GoDaddy employee $650 holiday bonus email. Employees who responded to the email with the requested information were later informed that they had failed the company phishing test. If you have not yet read that dispiriting story, it’s here.

I am referring to this charming email which I received this morning.

Phishing Email and Fish
Phishing Email from “[email protected]

It is from: “Mobilehelix passwordexpiration.”

Presumably, that would be warning enough for your employees to hit the “Delete” button posthaste.

If not that, then maybe those over-sized blue bands which overlap the line below would be a tip-off.

(I have obscured the recipient’s email address.)

This is a very good opportunity for me to show you a security feature in our LINK App. When you open an email in LINK you will always see the alias and below it the sender’s email address. You don’t have to tap or do anything else to display the email address. It’s there.

In this case the alias is the aforementioned, “Mobilehelix passwordexpiration.”

And the email address is, “[email protected].”

If your employee were uncertain as to whether to hit that “Delete” button, I think that seeing that the email is from “[email protected]” would be the icing on the cake. This email is definitely not from the company IT department. Delete.

We are serious about security at Mobile Helix. Much of what we build into the LINK system, such as certificate-based device registration in the new user registration process, is behind the scenes. It’s invisible to your employee and works in the background.

But this security feature is a designed to help your employees to be watchdogs for senders with devious intentions. 90% of organizations experienced targeted phishing attacks in 2019. Humans are the weakest link. This is one simple tool to help all of us to be vigilant.

-Maureen

Originally published in LinkedIn on December 28, 2020