Is being hacked enough to destroy your law firm?

Are you safe?

October, 2022 - Author Kelly Mills


Would a Client refer your Law Firm after their data was compromised?

What is the real cost of Law data breaches, is it financial or does it destroy your Law Firms reputation?

We supply some of the most technologically advanced easy legal software in Australia today, we also have for many years helping small to large organisations with ethical data mining. Our experience makes us well placed to supply pre-eminent ways to help you protect your data, and the data of your clients.

This blog is about our experiences with online and desktop security. We want to share with you easy ways that you can protect your data, along with antidotes from those that haven’t protected themselves well. You might be surprised by the possible cost to your firm the decisions of other providers are exposing to you.

One of the most effective ways to avoid data breach is with Multi Factor Authentication. All applications regardless of Cloud, Hybrid Cloud or Desktop/server should have multi factor authentication.

Google’s security blog released data that shows that Multi-Factor Authentication prevents the vast majority of Account Take Over (ATO) attacks. Account takeover prevention rates differ depending on the MFA challenge type. Device-based challenges provide adequate protection against hackers. With SMS 2FA protecting against 100% of account takeover attacks coming from automated bots, 96% effective from bulk phishing attacks, and only 76% effective from targeted attacks. Read more about MFA authentication below.

Given the number of attacks that occur minute by minute the only acceptable statistic above is 100% Because if 24% of targeted breaches being effective sounds like a lot of breaches, and you are right, it is. If you just stopped to consider who would even try to hack me? You'd be surprised.

‘Who would attack me, I’ll tell you who’

I can say that the worst and most catastrophic hacks that I have been directly requested to assist with after the fact, have been of a sizeable suburban Australian Real Estate agency of their property management and trust accounting software on their server and one of a small to medium Law Firm using desktop software on their server. In both instances the businesses thought they were protected, and both were paying IT companies to ensure they were safe. These situations were both phishing attacks that reframed as targeted attacks, and both companies were held to ransom. Neither paid the ransom in bit coin, and both businesses suffered disastrous financial and reputation losses. One specifically reported that it wasn't the people who had data with them that fled most quickly, but rather that referrers who had sent them clients, stopped doing so immediately.

‘Attacks aren’t reserved for websites.’

It is true that there are some special people that are targeted, like journalists or politicians, but many targeted attacks start from more meagre beginnings. First information is collected from low value data hacks, such as low security websites, that you give your data to, like a mailing list or online shopping or local sports club site. Then that information is used for phishing attacks, which is just ‘fishing,’ casting enough lines into the ocean until you catch something. A hacker generally doesn’t look up a business and start hacking them, they are more opportunistic in their selection.

For your own mental reference, selection occurs in hacking in the same way a local thief walks along a street and checks if car doors are open, if the door is locked, they move on to the next car. You are only vulnerable if your car door is unlocked.

‘You don’t have to be special to be a victim in a hacking attack.’

In my experience business owners at least once have thought, who would even know I existed, and who would take the time to hack me, but this mindset highlights how little is understood about hacking. When people think of targeted attacks, they believe the movies and think that a business is singled out like in some espionage movie. But really to consider hacks in this way is the equivalent of believing that a local thief would single out solitary car owner on the street and mastermind various ways that they can unlock that person's car. Even local thieves know that this makes no sense; and trust me, hackers are at least as intelligent as the person testing car doors. Unlike in the movies hacking is for the most part a crime of opportunity and social engineering. Unlike local thieves, hackers will jiggle a million door handles in a few minutes.

20 second lesson on Multi factor Authentication

MFA or 2FA

Multi-factor authentication is an electronic authentication method in which a user is granted access to an application only after successfully presenting two or more pieces of ‘evidence’ to an authentication mechanism.

Evidence can consist of, knowledge, possession, or inherence.
Knowledge (something only the user knows), for example your first cats name, or your mum’s maiden name, but watch out because your mum knows both of these.
Possession (something only the user has), a mobile phone or authentication app.
Inherence (something only the user is), a fingerprint or biometric scan.

Can Usernames and Passwords protect you?

Usernames and passwords are part of Multi Factor Authentication, falling in the knowledge category, something the user knows. Sadly, faced with an inundation of sites and logins, users, for the most part have become blasé at this level of security, causing it to have lost its power as a single authentication method.

** Did you know? Computers have gotten more powerful and can brut force simple passwords upto 16 characters long and even up to 6 characters on complex passwords e.g. Sr%6p*. Plus, over the years huge password lists have been made by hackers consisting of the passwords that have been leaked, so the hacker brut forces with those passwords in order of commonality first and usually strike a result more quickly than people conceptualise.

Some software providers allow Usernames to be email addresses, and while this appears to make life easier, your email address is not a secret and reflects the sites, or applications lack of concern over security.

Where possible your username should be unique, and for premium protection, it should be unique to the application itself. Guessing a unique username is as difficult as guessing a unique password.

27 years in Legal Software has shown me that users create rudimentary password patterns, which generally consist of a word, number 1 and an exclamation mark, making attacks on single password entry simpler than it should be.

We recommend a different password for every different application or website, even if the change is only a few letters, it is better than nothing.

One simple thing you can do to at least begin making your personal data more secure is to put each site you are accessing, into three categories, personal important Safe sites, business important safe sites and low value sites. Then produce a username and password combination for each of these three categories, and do not ever cross them over, EVER! Another option could be a password Registry.

If you want to step it up, change the important safe site passwords to be slightly different for each site.

The reason to have three distinct categories at a minimum is because many hacks are derived from usernames and passwords that are collected from low security low value data point hacks and then used in more high value sites to gain access.

Kelly Mills

For Law Support Australia Pty Ltd

Law Support is an ATO whitelisted payroll software company and Legal Practice Management software provider. We design Legal software that gives law firms and service professional business the best chance at reducing hacks on legal data. Becoming a white listed software provider with the ATO was an arduous and rewarding task, what this means for you at your law firm is this means that our security protocols aren’t just based on our say so, we are required to outline our security standards (OSWAP) and we are annually audited by the ATO to maintain our whitelist status.